25

Recently I found out about CSRF attacks and was happy to find out that CSRF protection was added to Codeigniter v 2.0.0.

I enabled the feature and saw that a hidden input with a token is added in forms and I assume that it stores the token in a session too. On POST requests does CI automatically compare tokens or do I have have to manually do that?

CyberJunkie
  • 21,596
  • 59
  • 148
  • 215

4 Answers4

40

The CSRF token is added to the form as a hidden input only when the form_open() function is used.

A cookie with the CSRF token's value is created by the Security class, and regenerated if necessary for each request.

If $_POST data exists, the cookie is automatically validated by the Input class. If the posted token does not match the cookie's value, CI will show an error and fail to process the $_POST data.

So basically, it's all automatic - all you have to do is enable it in your $config['csrf_protection'] and use the form_open() function for your form.

A good article I found that explains it very well: https://beheist.com/blog/csrf-protection-in-codeigniter-2-0-a-closer-look.html

Muhammad Hassaan
  • 7,296
  • 6
  • 30
  • 50
Wesley Murch
  • 101,186
  • 37
  • 194
  • 228
3

Refer this Link -- Used CSRF Tokens using form helper or Manually

The article explains how to work around with CSRF Tokens in

  • form open with form helper form_open() function
  • in ajax forms
  • ajax/jquery serialization forms

This article also explains about how to "Disable CSRF for cetain URL's(Which are used as webservice urls)"

Muhammad Hassaan
  • 7,296
  • 6
  • 30
  • 50
anil
  • 51
  • 4
2

When csrf protection enabled security class checks this token automatically (it compares POST token with COOKIE token)

Jarek Tkaczyk
  • 78,987
  • 25
  • 159
  • 157
0

For codeigniter4 You can enable CSRF protection by altering your app/Config/Filters.php and enabling the csrf filter globally:

public $globals = [
        'before' => [
                //'honeypot'
                'csrf'
        ]
];

Change the name here app/Config/App.php

/*
    |--------------------------------------------------------------------------
    | Cross Site Request Forgery
    |--------------------------------------------------------------------------
    | Enables a CSRF cookie token to be set. When set to TRUE, token will be
    | checked on a submitted form. If you are accepting user data, it is strongly
    | recommended CSRF protection be enabled.
    |
    | CSRFTokenName   = The token name
    | CSRFHeaderName  = The header name
    | CSRFCookieName  = The cookie name
    | CSRFExpire      = The number in seconds the token should expire.
    | CSRFRegenerate  = Regenerate token on every submission
    | CSRFRedirect    = Redirect to previous page with error on failure
    */
    //public $CSRFTokenName  = 'csrf_test_name';
    public $CSRFTokenName  = 'form_csrf';
    public $CSRFHeaderName = 'X-CSRF-TOKEN';
    public $CSRFCookieName = 'csrf_cookie_name';
    public $CSRFExpire     = 7200;
    public $CSRFRegenerate = true;
    public $CSRFRedirect   = true;

If you use the form helper, then form_open() will automatically insert a hidden csrf field in your forms. If not, then you can use the always available csrf_token() and csrf_hash() functions

helper('form');//::::Load form helper

echo form_open('/u/sign-up', ['csrf_id' => 'my-id']);

will return:

<form action="http://example.com/index.php/u/sign-up" method="post" accept-charset="utf-8">
    <input type="hidden" id="my-id" name="form_csrf" value="964ede6e0ae8a680f7b8eab69136717d" />
ShapCyber
  • 3,382
  • 2
  • 21
  • 27