How to Enable CSRF in CodeIgniter?

In CodeIgniter, you can allow CSRF (Cross Site Request Forgery) security by setting in application/config/config.php file the option value below to TRUE. You can defend CodeIgniter from the attack of forgery from cross-site requests.


$config['csrf_protection'] = TRUE;  
 

If you are using the helpful function form_open(). This will create and automatically add a ‘hidden’ CSRF token to your forms. Codeigniter will then automatically test this token as part of the security funciton on each submission form. When it detects a CSRF error it will immediately throw a 401 error.

If you do not use form_open(), this does not automatically create the secret input field. Could be inserted manually. You need to manually attach it as shown below, past this within your form.


<input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash(); ?>" />

Leave a Reply

Your email address will not be published. Required fields are marked *