Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CodeIgniter use CSRF protection only in some pages

What I want to do is to protect some sensitive forms from CSRF attack in codeigniter but not all pages.

To protect from CSRF if I set it in config.php it applies for all pages. is there any way to do that only for some pages by setting in controller?

$config['csrf_protection'] = TRUE;
like image 870
esrpim Avatar asked Aug 22 '13 11:08

esrpim


People also ask

How do I protect my CodeIgniter application from CSRF attacks?

Protecting your CodeIgniter application from Cross-site request forgery (CSRF or XSRF) attacks is pretty easy thanks to the built-in support. Once CSRF protection is enabled in the config file, you can use the form helper or custom code to protect your forms and AJAX calls from CSRF.

What is the difference between CodeIgniter CSRF and my tokens library?

This is a lot like the way CodeIgniter's CSRF does it, except CodeIgniter only has a single token value. There are other differences between CodeIgniter's CSRF and my tokens library, but for basic usage you will find that they are more or less working the same way.

How do I enable CSRF protection in my form?

You can enable CSRF protection by altering your application/config/config.php file in the following way: If you use the form helper, then form_open () will automatically insert a hidden csrf field in your forms. If not, then you can use get_csrf_token_name () and get_csrf_hash ()

What is the security class in CodeIgniter?

The Security Class contains methods that help you create a secure application, processing input data for security. CodeIgniter comes with a Cross Site Scripting prevention filter, which looks for commonly used techniques to trigger JavaScript or other types of code that attempt to hijack cookies or do other malicious things.


3 Answers

You can do this by editing the config.php file

 $config['csrf_protection'] = FALSE;

Step 1: create an array of pages that you want to protect

eg. $csrf_pages = array('login','test');

Step2: check if there is any request for the protected page then set it to TRUE;

if (isset($_SERVER["REQUEST_URI"])) {
    foreach ($csrf_pages as $csrf_page){
        if(stripos($_SERVER["REQUEST_URI"],$csrf_page) !== FALSE) {
            $config['csrf_protection'] = TRUE;
            break;
        }
    }

}

Step 3: add this to your views

<input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash();?>" />

Or simply use the form_open() function to add the hidden CSRF token field automatically.

like image 54
shah Avatar answered Oct 16 '22 12:10

shah


Now the CI3 have this feature, we can exclude the URIs in the config http://www.codeigniter.com/userguide3/libraries/security.html?highlight=csrf#cross-site-request-forgery-csrf

$config['csrf_exclude_uris'] = array('api/person/add');


$config['csrf_exclude_uris'] = array(
    'api/record/[0-9]+',
    'api/title/[a-z]+'
);
like image 13
Bira Avatar answered Oct 16 '22 10:10

Bira


For a more safer approach, you should switch on CSRF protection at all times and only exempt some pages you wish in an array in the config.php file.

$config['csrf_protection'] = TRUE;

Then set an array of links you wish to exempt from CSRF protection:

$csrf_off = array(
    "/api",
    "/api/example",
    "/somelink/something/example"
    );

Now turn those array links CSRF protection off.

if (isset($_SERVER["REQUEST_URI"])) {
    if (in_array($_SERVER["REQUEST_URI"],$csrf_off)) {
        $config['csrf_protection'] = FALSE;
    }
} 
like image 1
Julius Avatar answered Oct 16 '22 12:10

Julius