I know the question has been answered, but I did it in a similar way without hacking the CI core. I added the following to my application/config/config.php file:
$config['csrf_ignore'] = array('api');
The array can include any paths you like. The example above will apply to any paths that begin with 'api'.
Then, I added the following file: application/core/MY_Input.php:
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class MY_Input extends CI_Input
{
function _sanitize_globals()
{
$ignore_csrf = config_item('csrf_ignore');
if (is_array($ignore_csrf) && count($ignore_csrf))
{
global $URI;
$haystack = $URI->uri_string();
foreach($ignore_csrf as $needle)
{
if (strlen($haystack) >= strlen($needle) && substr($haystack, 0, strlen($needle)) == $needle)
{
$this->_enable_csrf = FALSE;
break;
}
}
}
parent::_sanitize_globals();
}
}
/* EOF: MY_Input */