Secure codeigniter application using csrf token

Rakesh Sharma      5 Comments  

Secure codeigniter application using csrf token and using with ajax call

In codeigniter 2 Cross Site Request Forgery (CSRF or XSRF) protection is inbuilt feature. We need to just change the config variable in config file to use csrf protection. once you have enabled csrf protection your all forms has been secured. Now your codeigniter application forms POST requests has been secured using csrf token.

What is CSRF token :-

Cross Site Request Forgery token is a hash string which will include with each form request and form submission. and will checked with already saved token in cookie/session. if your both value matched it will accept your request else request will be decline. in codeigniter Cross Site Request Forgery token value adding in hidden input field and send with POST requests.

Enable CSRF protection in codeigniter :-

To enable CSRF protection in codeigniter application go to “application/config/config.php” and search for CSRF settings.

$config['csrf_protection'] = TRUE; // changed FALSE to TRUE
$config['csrf_token_name'] = 'csrftest_name';
$config['csrf_cookie_name'] = 'csrfcookie_name';

you can also change the name settings then you will get csrf token value with given names.

Use csrf token :-

1. Form helper :- codeigniter have it’s own classes and function to make a form and fields. so just need to include form helper class. there are more ways to include form helper class
1. By direct call in controller:- add below code to your controller function it will load form helper class to only this view.

$this->load->helper('form');

2. By autoload :- for this go to “application/config/autoload.php” and add form helper to $autoload[‘helper’] array .this will include form helper class to whole codeigniter application

$autoload['helper'] = array('form');

After load form helper class we will use form_open() function to make a form on view:-

<?php echo form_open('login');?>
<input type="text" name="email" />
<input type="password" name="password" />
<input type="submit" name="submit" value="Submit" />
<?php echo form_close();?>

now save this file do a browser inspect element or view source code of form. Using form helper auto added an input field to form with a random or hash token value to prevent CSRF like below.

<form action="http://localhost/codeigniter/index.php/login" method="post" accept-charset="utf-8">
<div style="display:none">
<input type="hidden" value="ef8c930e54108d8ba04835dba87c9611" name="csrftest_name">
</div>
<input type="text" name="email" />
<input type="password" name="password" />
<input type="submit" name="submit" value="Submit" /> 
</form>

2. Manually :- if you don’t want to use form_open() function to make form you can add directly an input field with security class function to make CSRF token in codeigniter like below

<input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash(); ?>">
//will add like <input type="hidden" name="csrftest_name" value="0729bc908947526aa2e7951fb9066701" />

Now you have done with secure codeigniter application using csrf token.

Using with ajax call :-

Now when csrf protection is on you will get “500 internal server” when posting data with ajax call. so for this we need to send csrf token also with ajax request. so let’s see how to send csrf token with ajax call and secure codeigniter application using csrf token on ajax call.

secure codeigniter application using csrf token

<script type="text/javascript">
$.ajax({
   url: "test.php",
   type: "post",
   data: {'<?php echo $this->security->get_csrf_token_name(); ?>':'<?php echo $this->security->get_csrf_hash(); ?>',/*....your data....*/},
   success: function(){
     alert("success");
   },
   error:function(){
     alert("failure");
   }
});
</script>
// uses
// $this->security->get_csrf_token_name()  getting csrftoken name.
// $this->security->get_csrf_hash() getting csrftoken value

Now after update this code make a ajax call and you get a success response. so now you are done with secure codeigniter application using csrf token on basic forms and on ajax call.

  • Bipin Kareparambil

    Thank you.. :) (y)

  • thanks much <3

  • Muhammed Shuhaib

    How to give CSRF security for only a single form in a website. Not for all other form..??

  • julio

    it’s necessary validate this number token on controller? if is true , how to validate on controller?

  • Ambar Hasbiyatmoko

    thank you, csrf works for ajax