secure your codeigniter application using csrf token _ sujit shah

2/21/2015 Secure Your CodeIgniter Application using CSRF Token | Sujit Shah

http://www.sks.com.np/secure-your-codeigniter-application-using-csrf-token/ 1/6

Suj i t ShahW e b D e v e l o p e r N e p a l

Secure Your CodeIgniter Application usingCSRF Token

October27,2014 byadmin inCodeIgniter

Inthistutorial,wewilllearnhowtomakeourwebsitemoresecure&protectfromCSRFwhenweareusingCodeIgniterwebapplicationframework.WethanksCodeIgniterteamwhogivinginbuiltsupportCrossSiteRquestForgery(CSRForXSRF).

ToenableCSRFprotectionCodeIgniterFrameworkwillautomaticallyprotectformsorAJAXcallsfromCSRFwhenweuseformhelperandincustomform,weneedtocallCSRFtokenname&itsvalueinhiddeninputfieldandsendwithPOSTrequests.

Enable CSRF in Config fileToenableCSRFprotectionweneedtomodifyconfigfileofCodeIgniterFramework.WejustneedtochangeTUREinsteadofFALSEinourapplication/config/config.phpfileforexample:$config['csrf_protection']=TRUE

AfterchangingourwebapplicationissecurewithCSRFprotection.ButifweusedcustomforminsteadofCodeIgniterformhelperthePOSTrequestwillfailandshowingfollowingerror:

ItmeansourCSRFprotectionisworking,andweneedtoupdatetheformstoaddaCSFRtokentothePOSTdata.

Why Hire Me?

7+yearsofexperienceinWeb

Development

ExpertiseinCustomPHP&

MySql

ExpertiseinPHPFramework

Yii&CI

ExpertiseinOpenSource

CMS&Wordpress

ExpertiseinOpenSource

Ecommerce

ExpertiseinVariousPayment

GatewayIntegrations

ExperienceinResponsive

CSSFrameworkBootstrap&

Foundation

Workunderyourspecialized

visionandconcepts

PricingisbothFairand

Reasonable

Home My Profile CodeIgniter PHP & MYSQL Ajax & jQueryOthers Contact us

2/21/2015 Secure Your CodeIgniter Application using CSRF Token | Sujit Shah

http://www.sks.com.np/secure-your-codeigniter-application-using-csrf-token/ 2/6

Used CSRF Tokens using formhelper or ManuallyWehavetwowaytoaddCSRFtokensifwearethinkingtoupdateyourformwithCodeIgniterformhelperclassthenCSRFtokenswillautomaticaddedorifyouarethinkingtoadjustincustomformthenweneedtoaddcustomhiddeninputnameanditsvalue.

Whenwewilluseformhelperclass:

UsingformhelperclasswillautomaticallyaddedinputfiledintotheformwitharandomtokenvaluetopreventCSRF.

Output:

Whenweusecustomform:

WeneedtoaddainputfiledtopreventourcustomformwithCSRF.

Forexample:

2/21/2015 Secure Your CodeIgniter Application using CSRF Token | Sujit Shah

http://www.sks.com.np/secure-your-codeigniter-application-using-csrf-token/ 3/6

How to use in AJAX/jQuery CallIfweareusingAJAXinourwebapplicationandtokenisnotpasswithPOSTdatathenCodeIgniterwillreturnaerror500(InternalServerError).ItmeanweneedtousedCSRFtokenalltheformsandpasswiththePOSTdata.TherearemanywaytopassCSRFtokenwithPOSTdataanditsdependsonyoubecausethereareformshelperclasswhichisautomaticallyaddedandcustomfieldwhereweneedtomanuallycodedandcallCSRFtokennameanditsrandomvalue.

ForExample:

varcsrf_token=''

$.post('POSTURL',{data:'value','csrf_test_name':

csrf_value},function(response){

//response

},'json')

How to use CSRF in AJAX/jQuerySerializationIfyouarethinktousedAJAXSerializationthenyouhaveveryeasyandjustopenandclosedyourformusingformhelperclassofCodeIgniter.

Forexample:

Tag Cloud

Ajax&jQuery BasicBasicsecurityvulnerabilitiesinphp

code BasicSEO Beginner

BeginningSearchengineoptimization

BestPracticesforSpeedingUpYour

WebSite CodeIgniter

CodeIgniter CodeIgniterFramework CSRFinAJAX/jQuery

CSRFToken DatabaseOverload

Enablejavascriptmozillafirefox

googlesearchengineoptimization

HowdoIenableJavaScriptinmy

browser HowtoreduceCPUusage?

HowtouseCSRFToken? IE6 IE7

Makeyourwebsiteloadfaster MySql

CPUusage nuSOAP

Others PHPPHP&MYSQL PHPSecurityphpwebservice PHPwebsitesecurity

issue ReduceHighCPUusage

overload Regex Rule SEOConsult

SOAP ThirdPartyAPI Top10SEO

him.100%recommended.JamesPowAustralia

Heisprofessionalandprovidinggreatjobalways.Iwillrecommendhimtomyfriendsalso.Thanks!!!BinayAryalCEO

2/21/2015 Secure Your CodeIgniter Application using CSRF Token | Sujit Shah

http://www.sks.com.np/secure-your-codeigniter-application-using-csrf-token/ 4/6

Previous

$.post(ajax_url,$('#login).serialize(),function(response

){

//response

},'json')

Disable CSRF for Third Party APIWhenweareusingThirdPartyAPIorFacebookAPI/TwitterAPIinourwebsiteapplicationthenweneedtodisableCSRFprotectionintheresponsecontrollerorfunction(method).Forthisweneedtodisableourcontrollerorfunctiononly,

Forexample:

if(isset($_SERVER["REQUEST_URI"])){

if(stripos($_SERVER["REQUEST_URI"],'/ajax/')===

FALSEAND#allajaxcontrollers

stripos($_SERVER["REQUEST_URI"],'/facebook_app/)

===FALSEAND#allfacebookcontrollers

stripos($_SERVER["REQUEST_URI"],'/twitter_app/login')

===FALSEAND#onlyloginfunction

){

$config['csrf_protection']=TRUE

}else{

$config['csrf_protection']=FALSE

}

}else{

$config['csrf_protection']=TRUE

}

Tags: CodeIgniter CodeIgniterFramework CSRFinAJAX/jQuery

CSRFToken HowtouseCSRFToken? ThirdPartyAPI

Post a Comment

Youremailaddresswillnotbepublished.Requiredfieldsaremarked*

Name*

Tips Validation webservice Web

SiteOptimization XML

2/21/2015 Secure Your CodeIgniter Application using CSRF Token | Sujit Shah

http://www.sks.com.np/secure-your-codeigniter-application-using-csrf-token/ 5/6

Email*

Website

Captcha*

4+5=

Comment

SUBMIT

TechnicalExperience

PHP&MySql

PHPFramework

CodeIgniter&Yii

Wordpress

Drupal

Foundation

Framework

Bootstrapframework

JavaScript,Ajax,

jQuery

HTML,HTML5,

CSS,CSS3

WebsiteServices

WebDesign/

Responsive

WebDevelopment&

Maintenance

Custom&Open

SourceCMS

Custom&Open

SourceEcommerce

Auction/Bidding

Software

Classified/Real

State/JobsWebsite

PaymentGateway

Solution

APIIntegration/

webService

Popular Posts

SecureYour

CodeIgniter

Applicationusing

CSRFToken

MultipleThemesin

CodeIgniterlike

WordPress

HowtocreateREST

APIinPHP?

ReduceHighCPU

usageoverload

problemcausedby

MySql

SimpleJQuery

Accordionmenu

Ajaxautocomplete

usingPHP&

MySQL

FreelanceWebDeveloper

761 orang menyukaiFreelance WebDeveloper.

Suka

2/21/2015 Secure Your CodeIgniter Application using CSRF Token | Sujit Shah

http://www.sks.com.np/secure-your-codeigniter-application-using-csrf-token/ 6/6

SolutionXMLWebService

usingPHPand

SOAP

Copyright20122013SujitShah..

Tags:PHPProgrammerNepal,WebDeveloperNepal,WebsiteDesigner,CodeIgniterDeveloper,YiiFramework,

Wordpres,OpenCart,Drupal,FrontEndDeveloper,ResponsiveDeveloper,Bootstrap,Foundation,FreelancePHP

MySqlProgrammerNepal,ExpertProgrammerNepal,PHP,MySql,LAMP,Linux,Apache,SVN,JavaScript,Ajax,

jQuery,HTML,HTML5,CSS,CSS3,XML,SOAP,PSDtoXHTML,ResponsiveWebDesign,WebDevelopment,CMS,

Ecommerce,Classified,Jobportal,Travel&tours,PennyAuction,LowestUniqueBidAuction,ReverseAuction,Price

RevealAuction,PaymentGatewayIntegration,Nepal,India,HongKong,Australia,UK,USA,Singapore,Germany,

Canada,Netherlands,NewZealand,Norway,Italy