Enable Cross-site request forgery (CSRF) Protection on codeigniter

What is CSRF

Cross-site request forgery or CSRF is a type of security vulnerability which can potentially allow an unauthorized user to perform malicious activity on a website/ web application as an authorized user. It usually tricks the authorized users to perform malicious activity on a website which could be changing a password or transferring money from a bank’s website.

How to protect your codeigniter website against CSRF

Codeigniter provides an effective way to  protect against CSRF vulnerability with a security token. It is highly recommended if you have a website where users can submit a form. Below are the steps to enable CSRF on a Codeigniter website:

  1. Go to your primary config file application/config/config.php and enable CSRF Protection :

    $config['csrf_protection'] = TRUE; // TRUE to enable and FALSE to disable CSRF
    $config['csrf_token_name'] = 'my_token_name'; //if you want to change name for token. Optional, leave as it is for default
    $config['csrf_cookie_name'] = 'my_cookie_name'; // If you want to change cookie name which contains token value.  Optional, leave as it is for default
    $config['csrf_expire'] = 3600; // The number of seconds before token expires
    $config['csrf_regenerate'] = FALSE; // TRUE to regenerate token for each request. FALSE to use use the same token until the time expires as per "csrf_expire" value above
    $config['csrf_exclude_uris'] = array('my/api'); // If you want to exclude any URIs from CSRF validation, provide them here. 
    Codeigniter_CSRF
    $config['csrf_protection'] = TRUE; // TRUE to enable and FALSE to disable CSRF
    $config['csrf_token_name'] = 'my_token_name'; //if you want to change name for token. Optional, leave as it is for default
    $config['csrf_cookie_name'] = 'my_cookie_name'; // If you want to change cookie name which contains token value.  Optional, leave as it is for default
    $config['csrf_expire'] = 3600; // The number of seconds before token expires
    $config['csrf_regenerate'] = FALSE; // TRUE to regenerate token for each request. FALSE to use use the same token until the time expires as per "csrf_expire" value above
    $config['csrf_exclude_uris'] = array('my/api'); // If you want to exclude any URIs from CSRF validation, provide them here.

That’s it. Now, create a form using CI form helper’s form_open() function and CI will automatically insert a hidden csrf field in your forms.

If you do not use form_open() to create forms, you can use get_csrf_token_name() and get_csrf_hash() anywhere within the PHP code to insert token name and its value respectively. A simple example is below:

<form>
    <label for="title">Title</label>
    <input type="input" name="title" /><br />

    <label for="text">Text</label>
    <textarea name="text"></textarea><br />
    
    <input type="hidden" name="<?php $this->security->get_csrf_token_name();?>" value="<?php $this->security->get_csrf_hash();?>" />	
    <input type="submit" name="submit" value="Submit Form" />
</form>

 

Description of above parameters :

  • $config[‘csrf_expire’] :  Determines the time(in seconds) for which the token is valid. Setting it too low might cause users to face frequent 403 unauthorized response. e.g. if you set the value as 120 (2 minutes) , then the token might expire while user is updating the form and they would need to refresh the page, thus losing the form data. Set it to a reasonably large value so that users have sufficient time to update and submit the form.
  • $config[‘csrf_regenerate’] : Determines if the token should be regenerated for every form request. Ideally this would be TRUE but there are some cases where you want to keep this as FALSE. E.g. if your users navigate on your website using forward/back button, open multiple tabs/windows , then older tokens will become invalid and cause troubles to the users, hence causing bad user experience. Another area is when your forms are submitted using AJAX/Jquery or other similar methods, FORM does not load again and old tokens will be used if you do not refresh the page. Under these cases you may want to keep it FALSE.
  • $config[‘csrf_exclude_uris’] : Set the array or URIs which you want to exclude from CSRF check. Most probably you will want to keep it blank unless you are exposing some APIs and expect the requests from other domains. If you are not sure, then leave it blank.

Further References

Some Questions which should be answered by this page

  1. How to enable Cross-site request forgery (CSRF) on codeigniter website.
  2. How to secure codeigniter website.
  3. What is Cross-site request forgery (CSRF).

 

 

Leave a Reply

Technology Central © 2014 - 2017 | Privacy Policy | Website Terms & Conditions