Ummm, is CSRF really this simple??? Or am I missing something here??? |
[eluser]boltsabre[/eluser]
Hi guys, just a really quick question about CSRF in CI (note, I’m using CI V2, not the old one). The official documentation only has 3 lines on the whole issue, I just wanted to make sure my website is going to be safe! Is all I have to do to set it up is this line of code? Code: $config['csrf_protection'] = TRUE; And ensure I use the Code: form_open() So is it really this simple to implement and use (ie, my site is now protected from CSRF attacks?), or is there other stuff I have to handle in the controllers/models for it to work? If so, does anyone have a link to a good tutorial? Thanks in advance.
[eluser]boltsabre[/eluser]
Really... 44 views and no-one with a 'yes' or 'no' answer?
[eluser]Zaher Ghaibeh[/eluser]
yes thats right .. you can view your code ( generated HTML ) and you will notice that there is 2 new hidden fields which you didnt add, related to the csrf name that you have choose in your config file..
[eluser]eoinmcg[/eluser]
for POST requests yes, for GET no. for example, imagine your site has a backend that allows a logged in user to delete pages; http://example.com/admin/pages/delete/ID. a malicious person could then delete by directing you to a page with Code: <img src="http://example.com/admin/pages/delete/ID" /> of course, it's not best practise to allow destructive actions via a GET (url) request. in the above example you could require the user to confirm their intent with a form.
[eluser]boltsabre[/eluser]
Great, thanks guys, that was exactly what I was after -> set it up in config, use form_open() and all is good (so long as you're using POST, not GET - which I don't anyway for the reasons eoinmcg pointed out). It's so simple, so simple in fact that I was having a hard time believing that that is all I had to do. Thanks again guys!!! |
Welcome Guest, Not a member yet? Register Sign In |