CSRF temporary deactivation

[eluser]Treeda[/eluser]
Hi there...

i think everyone working with CI 2+ and CSRF enabled might stumbled over the problem that users without cookies are not able to send any forms.

Well, for the internal part, after a login, where users have to support cookies this isn't a problem, but on the front side, i would like to allow users to use a send message form etc, but if they have cookies disabled this is not possible.

Is there a recommended way of temporary deactivate CSRF protection? Let's say in the constructor of a controller?
Unfortunatly it seems that the security class is fetched very very early and you have no chance to do anything inside a controller....

I would aprpeciate any help

Thanks
Treeda

[eluser]Treeda[/eluser]
30+ views and no ideas?

Really no one has the same problem, or just ignoring users with deactivated cookies?

[eluser]Treeda[/eluser]
Ok, after nobdy seem to have the same problem, i sat down and find my own solution .-)

However, i'll share with the community. This is my approach:

Just deriving from Security

Code:

class MY_Security extends CI_Security {


....

    
    /**
     * Verify Cross Site Request Forgery Protection
     *
     * @return    object
     */
    public function csrf_verify()
    {
        // If no POST data exists we will set the CSRF cookie
        if (count($_POST) == 0)
        {
            return $this->csrf_set_cookie();
        }
        
//ADDED ----------------------
        $CFG =& load_class('Config', 'core');
        if ( $excsrf = $CFG->item("csrf_exlude_uris")){
            $URI =& load_class('URI', 'core');
            if ( in_array($URI->uri_string(), $excsrf)){
                return;
            }
        }
//END ADDED ----------------

....

in the config file just add a section like this, naming the urls you want being excluded from csrf

Code:

$config['csrf_exlude_uris'] = array(
    "info/contact",
    "search/model"
);