Protect a CodeIgniter Application against CSRF

CodeIgniter is an open source web framework which is mainly used for building websites with PHP. It is based on the MVC pattern but the views and models are optional in this case. One of its best features is that it is faster than other similar frameworks. As CodeIgniter is open source, you can find the source code at GitHub. In this post, we are going to talk about how you can Protect a CodeIgniter Application Against CSRF.

CodeIgniter CSRF Protection is necessary if you have created your website using CodeIgniter Framework. It becomes necessary to implement this because of the CSRF Attacks. The attacker uses fake forms like Login and Search forms to attack your website. They send a fake HTTP request your website’s information.

The info that it takes allows the attacker’s site to perform operations on your site. So they can get your vital info within seconds and you wouldn’t even know it. Here we have a method by which you can protect your CodeIgniter application.

CSRF Protection for CodeIgniter

There are a couple of methods to protect your application but we are going to discuss the easiest one. It is known as the token method and it is fairly easy. There are only a few and simple and easy steps. What you have to do is create a separate token for every HTTP request. You should also connect the request and the form. There are also many ways to do this, but the best one would be using the CSRF Token which is available by default in CodeIgniter which makes things easier.

The CSRF Token works in a simple way and is saved after a session. The request is only authorized only after the website has matched the token that is saved after the session to the one submitted. And the token is constantly changing so it is hard for the attacker to pry on the website.

How to enable CodeIgniter CSRF Protection and Token?

Go to “application/config” and the open the “config.php” file. Make the following changes from FALSE to TRUE.

1

2

3

4

5

6

$config[‘csrf_protection’] = TRUE;

$config[‘csrf_token_name’] = ‘csrf_test_name’;

$config[‘csrf_cookie_name’] = ‘csrf_cookie_name’;

$config[‘csrf_expire’] = 7200;

$config[‘csrf_regenerate’] = TRUE;

$config[‘csrf_exclude_uris’] = array();

In order to make tokens and that too unique, the user has to generate a token when making a fresh request. Go through the following images to know how to generate tokens.

1

2

$this->csrf_cookie_name = $this->token_name;

$this->check_token();

The following are the key purposes for the tokens to match.

 

1

2

3

4

5

6

7

8

9

10

11

12

13

function check_token()

{

if ($this->csrf_hash == ”)

{

if ( isset($_COOKIE[$this->csrf_cookie_name] ) AND $_COOKIE[$this->csrf_cookie_name] != ” )

{

$this->csrf_hash = $_COOKIE[$this->csrf_cookie_name];

} else {

$this->csrf_hash = md5(uniqid(rand(), TRUE));

}

}

return $this->csrf_hash;

}

What this above function does is that it checks the values of cookies and whether they are set or not. If it is set, then it will cross-check that value with the website token. If they both match, then the request is approved. And fresh requests replace the earlier requests. As you can see, the process is really easy.

In this post, we have learned about the basics of CodeIgniter CSRF Protection and the steps for it. Of Course, there are other methods but we chose this one as it was simple and easier. You can ask us if you have any queries.

Leave a Reply

Your email address will not be published. Required fields are marked *