Ummm, is CSRF really this simple??? Or am I missing something here???

[eluser]boltsabre[/eluser]
Hi guys, just a really quick question about CSRF in CI (note, I’m using CI V2, not the old one). The official documentation only has 3 lines on the whole issue, I just wanted to make sure my website is going to be safe!

Is all I have to do to set it up is this line of code?

Code:

$config['csrf_protection'] = TRUE;

And ensure I use the

Code:

form_open()

on all my forms…

So is it really this simple to implement and use (ie, my site is now protected from CSRF attacks?), or is there other stuff I have to handle in the controllers/models for it to work? If so, does anyone have a link to a good tutorial?

Thanks in advance.

[eluser]boltsabre[/eluser]
Really... 44 views and no-one with a 'yes' or 'no' answer?

[eluser]Zaher Ghaibeh[/eluser]
yes thats right ..
you can view your code ( generated HTML ) and you will notice that there is 2 new hidden fields which you didnt add, related to the csrf name that you have choose in your config file..

[eluser]eoinmcg[/eluser]
for POST requests yes, for GET no.

for example, imagine your site has a backend that allows a logged in user to delete pages;
http://example.com/admin/pages/delete/ID.
a malicious person could then delete by directing you to a page with

Code:

<img src="http://example.com/admin/pages/delete/ID" />

and your page is gone.

of course, it's not best practise to allow destructive actions via a GET (url) request. in the above example you could require the user to confirm their intent with a form.

[eluser]boltsabre[/eluser]
Great, thanks guys, that was exactly what I was after -> set it up in config, use form_open() and all is good (so long as you're using POST, not GET - which I don't anyway for the reasons eoinmcg pointed out).

It's so simple, so simple in fact that I was having a hard time believing that that is all I had to do. Thanks again guys!!!