Codeigniter CSRF - how does it work
The CSRF token is added to the form as a hidden input only when the form_open()
function is used.
A cookie with the CSRF token's value is created by the Security class, and regenerated if necessary for each request.
If $_POST
data exists, the cookie is automatically validated by the Input class. If the posted token does not match the cookie's value, CI will show an error and fail to process the $_POST
data.
So basically, it's all automatic - all you have to do is enable it in your $config['csrf_protection']
and use the form_open()
function for your form.
A good article I found that explains it very well: https://beheist.com/blog/csrf-protection-in-codeigniter-2-0-a-closer-look.html
CodeIgniter , Csrf token
Access the Csrf Token in controller
In controller u can get name and value of csrf as follow
echo $this->security->get_csrf_token_name(); // for the name
echo $this->security->get_csrf_hash(); // for the value
Enable CSRF in Config file
$config['csrf_protection'] = TRUE;
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
1. Used CSRF Tokens using form helper
We have two way to add CSRF tokens; if we are thinking to update your form with CodeIgniter form helper class then CSRF tokens will automatic added or if you are thinking to adjust in custom form then we need to add custom hidden input name and its value.
When we will use form helper class:
<?php echo form_open(base_url( 'user/login' ), array( 'id' => 'login', 'class' => 'login' ));?>
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" name="submit" value="Submit" />
<?php echo form_close();?>
Using form helper class will automatically added input filed into the form with a random token value to prevent CSRF.
2. When we use custom form:
We need to add a input filed to prevent our custom form with CSRF.
$csrf = array(
'name' => $this->security->get_csrf_token_name(),
'hash' => $this->security->get_csrf_hash()
);
<input type="hidden" name="<?=$csrf['name'];?>" value="<?=$csrf['hash'];?>" />
If you use the form helper, then form_open() will automatically insert a hidden csrf field in your forms. If not,
Then you can use get_csrf_token_name()
and get_csrf_hash()
http://www.codeigniter.com/user_guide/libraries/security.html
http://www.sks.com.np/secure-your-codeigniter-application-using-csrf-token/
CSRF Protection Codeigniter generating Random token
The tokens are random. But, Codeigniter will use the same token value until the CSRF cookie expires OR, if $config['csrf_regenerate'] = TRUE;
it will create a new token value on each POST request.
GET requests (i.e. navigating to some other page on the site) do not generate a new token.
Codeigniter CSRF protection VS tabs
Background
There is no need to regenerate the CSRF token upon each form submission. There is little security benefit - if the attacker could retrieve the token from your page then they already have won. This will enable your site to run cross-tabs without error.
See this page for some background on the security aspect: Why [you shouldn't] refresh CSRF token per form request?.
CodeIgniter v3
v3 uses a configuration item named csrf_regenerate
. Set this to FALSE
to prevent regeneration after each request.
CodeIgniter v2
The code CodeIgniter uses is discussed in this post: CSRF Protection in CodeIgniter 2.0: A closer look. The relevant code is below:
function csrf_verify()
{
// If no POST data exists we will set the CSRF cookie
if (count($_POST) == 0)
{
return $this>csrf_set_cookie();
}
// Do the tokens exist in both the _POST and _COOKIE arrays?
if ( ! isset($_POST[$this->csrf_token_name]) OR
! isset($_COOKIE[$this->csrf_cookie_name]) )
{
$this->csrf_show_error();
}
// Do the tokens match?
if ( $_POST[$this->csrf_token_name]
!= $_COOKIE[$this->csrf_cookie_name] )
{
$this->csrf_show_error();
}
// We kill this since we're done and we don't
// want to polute the _POST array
unset($_POST[$this->csrf_token_name]);
// Re-generate CSRF Token and Cookie
unset($_COOKIE[$this->csrf_cookie_name]);
$this->_csrf_set_hash();
$this->csrf_set_cookie();
log_message('debug', "CSRF token verified ");
}
Simply remove the following code from the function:
// Re-generate CSRF Token and Cookie
unset($_COOKIE[$this->csrf_cookie_name]);
$this->_csrf_set_hash();
$this->csrf_set_cookie();
Related Topics
Which Is the Best Way to Generate Excel Output in PHP
How to Remove Attributes from an HTML Tag
Which Tokens Can Be Parameterized in Pdo Prepared Statements
How to Populate Dependable Drop-Down Using Ajax and PHP
How to Decode Eval( Gzinflate( Base64_Decode(
How to Fix the "Base Table or View Not Found: 1146" Error When Running 'PHP Artisan Migrate' Command
Why Doesn't Var_Dump Work with Domdocument Objects, While Print($Dom->Savehtml()) Does
PHP Regular Expression to Match Lines Starting with a Special Character
Target Class Does Not Exist. Problem in Laravel 8
Codeigniter Default Controller in a Sub Directory Not Working
Parse JSON String Contents into PHP Array