-1

I have tried two approaches:

-- Using form_open : With this approach, I am able to add a field with CSRF Token in request header as well as in cookies. But the same CSRF Token is generated every time and hence not able to prevent the attack.

Also I need to know apart from adding Token on client-side, is there any need to check it at server-side or it is automatically done.

-- Using hidden input field with custom form tags : With this, I added a random token as the input field, still not able to avoid the attack.

For second approach, I need to know the changes we need to do in Security.php file and for this also if we have to do any server-side check or not.

Pardeep
  • 1
  • 2

1 Answers1

0

The first approach is advised mainly because the CI code is well-tested, tried-and-true code. I assume the second method is something you intend to write yourself. If that's the case you are reinventing the wheel without good cause.

Using the CI code it is important to understand that the hash value of the token will not change unless you use the following in config.php

$config['csrf_regenerate'] = TRUE;

The other thing you need to know is that a new hash will be generated only when a POST request is made to the server. That's fine because the need for CSRF protection is only relevant for POST requests.

When making multiple GET requests, i.e. loading a <form> a number of times in succession, you will likely see the same hash value each time. But if you submit the form and then reload it you will see a new hash value.

Finally, you should know that the CSRF values are only checked for POST requests and are not checked for GET requests.

The hash value will be removed from $_POST after it is successfully validated.

All of the above is happens automatically if you use the $config setting shown in combination with form_open().

DFriend
  • 8,869
  • 1
  • 13
  • 26