Welcome Guest, Not a member yet? Register   Sign In
Set the CSRF cookie only when needed (e.g. when a form has been created)
#1

Hello everyone,

I would like to set as few cookies as possible. Preferably none at all. But I also want to enable CSRF protection.

My idea: I don't want to set the CSRF cookie until a form (with the hidden CSRF token) is created. This allows me to hide all forms behind a "cookies are allowed" check.

What I want to do: a user comes to the website and must agree to cookies in the (famous...) cookie notice. This sets a "cookies-are-authorized-cookie". Now he can go to the login form where the CSRF cookie is only set if the "cookies-are-authorized-cookie" has been found... Otherwise he will be redirected to an information page WITHOUT the CSRF cookie (or any other cookie) being set.

Can you please help me to install such a check? I think this might be interesting for other users.

Many thanks and many greetings
Reply
#2

@Kel,

Did you take a look at the CI documentation ( https://codeigniter.com/user_guide/libra...rgery-csrf )?
Reply




Theme © iAndrew 2016 - Forum software by © MyBB