Codeigniter Csrf - How Does It Work

Codeigniter CSRF - how does it work

The CSRF token is added to the form as a hidden input only when the form_open() function is used.

A cookie with the CSRF token's value is created by the Security class, and regenerated if necessary for each request.

If $_POST data exists, the cookie is automatically validated by the Input class. If the posted token does not match the cookie's value, CI will show an error and fail to process the $_POST data.

So basically, it's all automatic - all you have to do is enable it in your $config['csrf_protection'] and use the form_open() function for your form.

A good article I found that explains it very well: https://beheist.com/blog/csrf-protection-in-codeigniter-2-0-a-closer-look.html

CodeIgniter , Csrf token

Access the Csrf Token in controller

In controller u can get name and value of csrf as follow

        echo $this->security->get_csrf_token_name(); // for the name
        echo $this->security->get_csrf_hash();  // for the value

Enable CSRF in Config file

 $config['csrf_protection'] = TRUE;
 $config['csrf_expire'] = 7200;
 $config['csrf_regenerate'] = TRUE;

1. Used CSRF Tokens using form helper

We have two way to add CSRF tokens; if we are thinking to update your form with CodeIgniter form helper class then CSRF tokens will automatic added or if you are thinking to adjust in custom form then we need to add custom hidden input name and its value.

When we will use form helper class:

  <?php echo form_open(base_url( 'user/login' ), array( 'id' => 'login', 'class' => 'login' ));?>
      <input type="text" name="username" />
      <input type="password" name="password" />
      <input type="submit" name="submit" value="Submit" />
  <?php echo form_close();?>

Using form helper class will automatically added input filed into the form with a random token value to prevent CSRF.

2. When we use custom form:

We need to add a input filed to prevent our custom form with CSRF.

    $csrf = array(
    'name' => $this->security->get_csrf_token_name(),
    'hash' => $this->security->get_csrf_hash()
    );

     <input type="hidden" name="<?=$csrf['name'];?>" value="<?=$csrf['hash'];?>" />

If you use the form helper, then form_open() will automatically insert a hidden csrf field in your forms. If not,

Then you can use get_csrf_token_name() and get_csrf_hash()

http://www.codeigniter.com/user_guide/libraries/security.html

http://www.sks.com.np/secure-your-codeigniter-application-using-csrf-token/

CSRF Protection Codeigniter generating Random token

The tokens are random. But, Codeigniter will use the same token value until the CSRF cookie expires OR, if $config['csrf_regenerate'] = TRUE; it will create a new token value on each POST request.

GET requests (i.e. navigating to some other page on the site) do not generate a new token.

Codeigniter CSRF protection VS tabs

Background

There is no need to regenerate the CSRF token upon each form submission. There is little security benefit - if the attacker could retrieve the token from your page then they already have won. This will enable your site to run cross-tabs without error.

See this page for some background on the security aspect: Why [you shouldn't] refresh CSRF token per form request?.

CodeIgniter v3

v3 uses a configuration item named csrf_regenerate. Set this to FALSE to prevent regeneration after each request.

CodeIgniter v2

The code CodeIgniter uses is discussed in this post: CSRF Protection in CodeIgniter 2.0: A closer look. The relevant code is below:

function csrf_verify()
{
    // If no POST data exists we will set the CSRF cookie
    if (count($_POST) == 0)
    {
        return $this>csrf_set_cookie();
    }

    // Do the tokens exist in both the _POST and _COOKIE arrays?
    if ( ! isset($_POST[$this->csrf_token_name]) OR
         ! isset($_COOKIE[$this->csrf_cookie_name]) )
    {
        $this->csrf_show_error();
    }

    // Do the tokens match?
    if ( $_POST[$this->csrf_token_name]
         != $_COOKIE[$this->csrf_cookie_name] )
    {
        $this->csrf_show_error();
    }

    // We kill this since we're done and we don't
    // want to polute the _POST array
    unset($_POST[$this->csrf_token_name]);

    // Re-generate CSRF Token and Cookie
    unset($_COOKIE[$this->csrf_cookie_name]);
    $this->_csrf_set_hash();
    $this->csrf_set_cookie();

    log_message('debug', "CSRF token verified ");
}

Simply remove the following code from the function:

// Re-generate CSRF Token and Cookie
unset($_COOKIE[$this->csrf_cookie_name]);
$this->_csrf_set_hash();
$this->csrf_set_cookie();

Related Topics

Wsdl to PHP with Basic Auth

Ideal PHP Session Size

Which Is the Best Way to Generate Excel Output in PHP

How to Remove Attributes from an HTML Tag

Unique Ips in a Voting System

Which Tokens Can Be Parameterized in Pdo Prepared Statements

Pdo Limit and Offset

How to Populate Dependable Drop-Down Using Ajax and PHP

How to Decode Eval( Gzinflate( Base64_Decode(

How to Fix the "Base Table or View Not Found: 1146" Error When Running 'PHP Artisan Migrate' Command

Why Doesn't Var_Dump Work with Domdocument Objects, While Print($Dom->Savehtml()) Does

PHP Regular Expression to Match Lines Starting with a Special Character

Target Class Does Not Exist. Problem in Laravel 8

Codeigniter Default Controller in a Sub Directory Not Working

PHP Count Xml Elements

Parse JSON String Contents into PHP Array

Echo Menu Tree with Recursive Function

Replacing Placeholder Variables in a String


Leave a reply



Submit