Codeigniter CSRF - how does it work

php security codeigniter token
CyberJunkie picture CyberJunkie · Jun 5, 2011 · Viewed 45.8k times · Source

Recently I found out about CSRF attacks and was happy to find out that CSRF protection was added to Codeigniter v 2.0.0.

I enabled the feature and saw that a hidden input with a token is added in forms and I assume that it stores the token in a session too. On POST requests does CI automatically compare tokens or do I have have to manually do that?

Answer

Wesley Murch picture Wesley Murch · Jun 5, 2011

The CSRF token is added to the form as a hidden input only when the form_open() function is used.

A cookie with the CSRF token's value is created by the Security class, and regenerated if necessary for each request.

If $_POST data exists, the cookie is automatically validated by the Input class. If the posted token does not match the cookie's value, CI will show an error and fail to process the $_POST data.

So basically, it's all automatic - all you have to do is enable it in your $config['csrf_protection'] and use the form_open() function for your form.

A good article I found that explains it very well: https://beheist.com/blog/csrf-protection-in-codeigniter-2-0-a-closer-look.html

Related questions

CodeIgniter - why use xss_clean

if I'm sanitizing my DB inserts, and also escaping the HTML I write with htmlentities($text, ENT_COMPAT, 'UTF-8') - is there any point to also filtering the inputs with xss_clean? What other benefits does it give?

Read More
Why is it good save to save sessions in the database?

I have seen that codeigniter have facility to save session values in database. It says saving session in database is good security practice. But I think saving session information in the database helps improve performance. They save only a few …

Read More
Codeigniter application getting hacked, code injected in index.php

I have a codeigniter 2.0.2 project that keeps getting hacked. There are two main issues: Malicious code is being added to the start of the index.php file Rogue files are added to the server According to the host there are …

Read More