Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Codeigniter CSRF - how does it work

Tags:

Recently I found out about CSRF attacks and was happy to find out that CSRF protection was added to Codeigniter v 2.0.0.

I enabled the feature and saw that a hidden input with a token is added in forms and I assume that it stores the token in a session too. On POST requests does CI automatically compare tokens or do I have have to manually do that?

like image 937
CyberJunkie Avatar asked Jun 05 '11 17:06

CyberJunkie

People also ask

How does CSRF work in CodeIgniter?

The CSRF token is added to the form as a hidden input only when the form_open() function is used. A cookie with the CSRF token's value is created by the Security class, and regenerated if necessary for each request. If $_POST data exists, the cookie is automatically validated by the Input class.

How does the CSRF attack work?

Social engineering platforms are often used by attackers to launch a CSRF attack. This tricks the victim into clicking a URL that contains a maliciously crafted, unauthorized request for a particular Web application. The user's browser then sends this maliciously crafted request to a targeted Web application.

How is CSRF token transmitted?

A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client.

How make CodeIgniter secure?

CodeIgniter comes with XSS filtering security. This filter will prevent any malicious JavaScript code or any other code that attempts to hijack cookie and do malicious activities. To filter data through the XSS filter, use the xss_clean() method as shown below. $data = $this->security->xss_clean($data);

1 Answers

The CSRF token is added to the form as a hidden input only when the form_open() function is used.

A cookie with the CSRF token's value is created by the Security class, and regenerated if necessary for each request.

If $_POST data exists, the cookie is automatically validated by the Input class. If the posted token does not match the cookie's value, CI will show an error and fail to process the $_POST data.

So basically, it's all automatic - all you have to do is enable it in your $config['csrf_protection'] and use the form_open() function for your form.

A good article I found that explains it very well: https://beheist.com/blog/csrf-protection-in-codeigniter-2-0-a-closer-look.html

like image 96
Wesley Murch Avatar answered Oct 12 '22 10:10

Wesley Murch
Sign in to Comment

Related questions

Proguard won't keep a class member's enums
What is the difference between a macro and a const in C++?
How do I append a node to an existing XML file in java
Is ID column required in SQL?
optional/null-able OUT parameter in C#
What are the max number of allowable parameters per database provider type?
Difference between Active Record and DAO?
Question about multiple ready()'s
Dynamically Add Components to a JDialog
Perl, how to print the package name?
Does Scala have syntax for 0- and 1-tuples?
Unknown table engine 'InnoDB'

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!