CSRF stands for Crss Site Request Forgery. Whats is CSRF ? What is the necessity of preventing CSRF in web development.
CSRF is a security flow, which is possible when the hacker can use established session tokens of the user without any additional verification. In detail, CSRF occures when a user or victim is tricked into interacted with a page or script on a third party site that generates malicious request to your site. When the server can see the request is from authenticated user. However attacker takes full control over the data sent in the request to cause cookie stealing, collect other sensitive informations, spread worms,DoS attacks etec on victims machine or the network.
How can we prevent CSRF in codeigniter framework..?
To enable CSRF prevention in codeigniter,
- Open your application/config/config.php file and update the $config[‘csrf_prevention’] and $config[‘csrf_regenerate’] as TRUE instead of FALSE.
$config['csrf_prevention'] = TRUE; $config['csrf_regenerate'] = TRUE;
- add csrf hash( or simply we can say the tokens) to the page by either direct input hidden type or use form_open() function.
- If you using form helper, which added the token value from form_open() function as input field.
<?php echo form_open(); ?>
- Or if you using custom form, we needed to add the token input hidden field in the form. For example,
<input type="hidden" name="<?php echo $this->security->get_csrf_token_name();?>" value="<?php echo $this->security->get_csrf_hash();?>">