Custom CSRF

[eluser]Ali Fattahi[/eluser]
Hello Dear Friends
i've a problem in CSRF .
I've enabled csrf_protection in my config file and it working good in my forms , but i have some url's ( Like Banks callback url ) wich that bank send me some information of an invoice or a payment in callback url and csrf protection does not allow to get information from that urls .
how can i solve this problem or make an exption for some urls ?

Best Regards
Ali

[eluser]Ali Fattahi[/eluser]
There isn't any idea for this problem ?

[eluser]fatTireFreak[/eluser]
I had a similar issue. What I'm thinking of doing is something like this.

In my config I'm going to create an entry like this:

Code:

$config['csfr_exclusions'] = array('controller1'=>array('method1', 'method2')
                                                            'controller2'=>array('method1'));

Then I created a MY_Input class and put this code in the constructor:

Code:

$CFG =& load_class('Config');
        $SEC =& load_class('Security');
        $RTE =& load_class('Router');
        

        $this->security =& $SEC;
        $this->router    =& $RTE;
        $this->config    =& $CFG;

In MY_Input class _sanitize_globals() method I changed the call to csfr_verify to a method in MY_Input class

Code:

if ($this->_enable_csrf == TRUE)
        {
            $this->csrf_verify();
        }

Then I created this method in MY_Input class:

Code:

function csrf_verify() {
        $controller = $this->router->fetch_class();
        $method = $this->router->fetch_method();
        $csrf_exclusions = config_item('csfr_exclusions');
        if(array_key_exists($controller, $csrf_exclusions)) {
        $excluded = (in_array($method,$csrf_exclusions[$controller])) ? TRUE : FALSE;
        } else {
        $excluded = FALSE;
        }
        if($excluded != TRUE) {
        $this->security->csrf_verify();
        }
    }

[eluser]Ali Fattahi[/eluser]
Thanks so much

[eluser]Ali Fattahi[/eluser]
Hello
i tried it and it working fine :>
Thanks