Expired session & csrf_protection

[eluser]ci_user[/eluser]
Does anybody know a way to show something other than a server error page when a session is expired and a form is submitted with csrf_protection enabled?

[eluser]CroNiX[/eluser]
The way they coded it, the only way is to extend the CI_Security class and override the csrf_show_error() method with your own.

[eluser]ci_user[/eluser]
[quote author="CroNiX" date="1338495649"]The way they coded it, the only way is to extend the CI_Security class and override the csrf_show_error() method with your own.[/quote]

Ok, I'm trying that but how can I redirect in the csrf_show_error method?

Code:

public function csrf_show_error()
    {
        // show_error('The action you have requested is not allowed.');
  redirect('myController');
     }

Gives me the error "Call to undefined function redirect()".

Code:

public function csrf_show_error()
    {
        // show_error('The action you have requested is not allowed.');
   $this->load->helper('url');
   redirect('benefits');
     }

Gives me the error "Call to a member function helper() on a non-object".

Am I missing something?

[eluser]CroNiX[/eluser]
Yeah, CI isn't fully loaded at that point, so that helper function (or the loader class) isn't available yet. Just set a real header() using regular php.

[eluser]ci_user[/eluser]
I did consider that, but when I try that it appears to bypass csrf protection all together.

Code:

public function csrf_show_error()
    {
        // show_error('The action you have requested is not allowed.');
header('Location: http://mywebsite.com');
     }

This code doesn't redirect the page but allows the form to submit without a valid session.

I did find a kind of hacky way to make it work:

Code:

public function csrf_show_error()
    {
        // show_error('The action you have requested is not allowed.');
die('[removed]document.location.href="http://mywebsite.com";[removed]');
     }

[removed] = script tags. Surely there is a better way?