Codeigniter CSRF - how does it work

Question

Recently I found out about CSRF attacks and was happy to find out that CSRF protection was added to Codeigniter v 2.0.0.

I enabled the feature and saw that a hidden

Answer 1

The CSRF token is added to the form as a hidden input only when the form_open() function is used.

A cookie with the CSRF token's value is created by the Security class, and regenerated if necessary for each request.

If $_POST data exists, the cookie is automatically validated by the Input class. If the posted token does not match the cookie's value, CI will show an error and fail to process the $_POST data.

So basically, it's all automatic - all you have to do is enable it in your $config['csrf_protection'] and use the form_open() function for your form.

A good article I found that explains it very well: https://beheist.com/blog/csrf-protection-in-codeigniter-2-0-a-closer-look.html

Answer 2

When csrf protection enabled security class checks this token automatically (it compares POST token with COOKIE token)

Answer 3

Refer this Link -- Used CSRF Tokens using form helper or Manually

The article explains how to work around with CSRF Tokens in

• form open with form helper form_open() function
• in ajax forms
• ajax/jquery serialization forms

This article also explains about how to "Disable CSRF for cetain URL's(Which are used as webservice urls)"