Enabling CSRF to TRUE in CodeIgniter |
Just read that CodeIgniter 2.x has built-in CSRF protection. Now upon reading the documentation, I didn't found anything relating CSRF, just an option of setting it to TRUE in the config.php file then that's it. However, in my system I don't use this form_helper which automatically incorporates the CSRF protection of the CodeIgniter, instead I have the native <form> of HTML.
My concern is do I need to do anything to implement the CSRF of CodeIgniter, or just setting the option to TRUE is enough?
Please upgrade to Codeigniter 4
That hummer you are using was released 31 Oct 2015. It is almost 2023. Ci4 has better security, coding standards and more.
try something like in form
Code: <input type="hidden" name="<?=$csrf['name'];?>" value="<?=$csrf['hash'];?>" /> do you also have: Code: $config['csrf_regenerate'] = TRUE; in the controller that you send the form data to put : Code: echo $this->security->get_csrf_token_name();
To enable CRSF in Codeigniter all you need to do is:
Set the option to "TRUE" in the config file All your forms MUST use the form_open() helper function. This will automatically generate and include a 'hidden' CSRF token in your forms. Codeigniter will then automatically check this token on each form submission as part of the security funciton. If it detects a CSRF error, it will throw a 401 error automatically. You dont need to do anything else. edit: I just re-read that you do not use form_open(). It might be possible to manually insert the CSRF token into the forms yourself - but it would be more work than is required. Just convert all your forms to use form_open - and it will work seemlessly. (And yes - this is one of the few poorly documented features in CI - so I understand why you couldnt find the answer - it took me a while as well) |
Welcome Guest, Not a member yet? Register Sign In |