Web Niraj
  • Facebook
  • Flickr
  • Github
  • Linkedin
  • Twitter
  • YouTube
Online portfolio, code examples and developer blog
  • About
  • Contact
  • Portfolio
  • WordPress
Search the site...
  • Home
  • Blog
  • CodeIgniter: Using CSRF Tokens to Secure Your Application

CodeIgniter: Using CSRF Tokens to Secure Your Application

25

Protecting your CodeIgniter application from Cross-site request forgery (CSRF or XSRF) attacks is pretty easy thanks to the built-in support. Once CSRF protection is enabled in the config file, you can use the form helper or custom code to protect your forms and AJAX calls from CSRF. The CodeIgniter framework will automatically protect forms or calls that make POST requests once protection is enabled – here’s how to update your application.

Enable CSRF Protection

To enable CSRF protection in your CodeIgniter application, edit the application/config/config.php file and look for $config['csrf_protection']. Change the setting to TRUE (if it isn’t already) to enable protection. If you then test a form or AJAX call in your application, the request will fail showing a generic error:

CSRF Failure in CodeIgniter

This means that CSRF protection is working, and we now need to update the forms to add a CSRF token to the POST data.

Updating forms with CSRF tokens

The easiest way to update your forms is to use the Form Helper. Load the form helper manually (in your controller) or add it to the application/config/autoload.php file and call echo form_open('login'); (the first parameter is the form action, and the second parameter is an array of attributes):

Using form_open() will automatically add in a new field into the form with a randomly generated token used to prevent CSRF.

If you don’t want to use form_open(), you can add it to your form manually with:

After updating your form, test the code by POSTing some data and the request should now go through as normal. To test it further, edit the value of the CSRF input (e.g. using Chrome), then submit the form again. Changing the CSRF token will result in the above error message as CodeIgniter has detected a CSRF attack.

Editing CSRF Token in Chrome

Editing CSRF Token in Chrome

Updating AJAX Calls

AJAX calls that POST data will also fail if the CSRF token is not added. CodeIgnitor will return a Error 500 (Internal Server Error) for failed AJAX calls that do not contain a valid CSRF token field. There are a number of ways this can be achieved, depending on how you’ve coded your applications. I’ve included two different examples below:

Using JavaScript variables

Using Form Serialization

Once the changes have been made, test the AJAX call to see if the request is posted correctly and a valid response is received.

CodeIgniter, jQuery, PHP, Security

25 comments on “CodeIgniter: Using CSRF Tokens to Secure Your Application”

  1. donny says:
    June 27, 2014 at 10:43 AM

    Thanks man
    this a great post 🙂

    Reply
  2. Piyush Chauhan says:
    July 30, 2014 at 2:27 PM

    Great Post

    Reply
  3. Erwin says:
    September 3, 2014 at 6:44 PM

    I’m using this framework but I have a problem to check the existence of this hidden field in my controlled I do something like this: if ($ this> input-> post (‘token’)): more code here endif; and that condition does not work, as if the field does not exist in reality but if it exists, I do sending $ (“# form”) serialize ().; or dudes = {‘token’: token} and nothing, any suggestions, maybe someone ah past. Thank you

    Reply
    • Niraj Shah says:
      September 4, 2014 at 5:06 PM

      Are you sure the data is being POSTed to your script using ajax?

      Reply
    • anthony lloveras says:
      December 9, 2014 at 1:15 AM

      try var_dump($this->input->post()) and check the index of the token, because it was set dynamically.

      Reply
  4. Priya says:
    October 17, 2014 at 12:38 PM

    Thank a lot

    Reply
  5. SirOne says:
    October 24, 2014 at 5:26 PM

    Thanks for the information.
    It helped me a lot!!!

    Reply
  6. Jama' says:
    December 2, 2014 at 2:21 AM

    Thanks…Great Post…

    Reply
  7. Esteban says:
    January 8, 2015 at 7:50 PM

    Thank you!

    Reply
  8. raghda says:
    March 19, 2015 at 1:23 PM

    thanks but when use it show this warning

    A PHP Error was encountered

    Severity: Warning

    Message: Illegal string offset ‘csrf_test_name’

    Filename: helpers/form_helper.php

    Line Number: 70

    Reply
    • Niraj Shah says:
      March 26, 2015 at 9:40 AM

      Sounds like your CSRF cookie name may be called something else. Check the config.php file and see what the value of $config['csrf_token_name'] is. Also, check that CSRF protection is enabled. This tutorial is quite old so the CodeIgnitor implementation for this could have also changed.

      Reply
  9. ugy says:
    May 21, 2015 at 9:45 AM

    Thanks for useful post. I follow your step, and it’s work in local host. I use jquery ui autocomplete to show data which i search and it work.

    But when the project uploaded on online server, the console.log says “500(Internal Server Error)” when the word typed. And autocomplete was not work. I don’t know what happen. May be you can give an advice to solve my problem.

    Thank’s, man

    Reply
    • Niraj Shah says:
      May 21, 2015 at 10:57 AM

      This sounds like a configuration issue with your server rather than a script issue. Make sure mod_rewrite / .htaccess is configured correctly to allow routing to your controller, specifically, try visiting data/header/lookup in a browser and make sure it works.

      Reply
      • ugy says:
        May 22, 2015 at 4:15 AM

        Thank’s mr. Niraj for your reply, i have fixed my problem. Before data sent using ajax, each value of get_csfr_token_name() method and get_csfr_hash() method must be setup with ajaxSetup() method then add it to ajax function then send. And it’s work well 🙂

        But how do we add crsf data if we want to send more variables using ajax?

        Thank’s before…

      • Niraj Shah says:
        September 4, 2015 at 7:22 PM

        Added the CSRF variables to an array and then add any additional data your wish to send via Ajax. E.g.:

        var data = { 'foo': 'bar', 'security->get_csrf_token_name(); ?>': 'security->get_csrf_hash();?>' };

  10. Jos Faber says:
    August 7, 2015 at 10:01 AM

    What if there’s no form or ajax call at all? I have a delete button for objects that link to a delete method in it’s controller (e.g. /admin/article/delete/23). I can create params with token and hash, but how to check them in the controllers delete method?

    Reply
    • Niraj Shah says:
      August 14, 2015 at 7:55 PM

      With the delete button, it’s better to wrap your button with a Form and you can use the same code to validate the request. Optionally, you can add the CSRF token to the end of the delete button URL and validate it manually when clicked.

      Reply
  11. manujaword says:
    January 22, 2016 at 11:40 AM

    Superb tute.tx a lot .-Ujitha-

    Reply
  12. Ariansyah.net says:
    August 5, 2016 at 1:43 PM

    hi admin, whether CSRF value can be used to change parameter in address bar url? replace encrypt ci?

    Reply
    • Niraj Shah says:
      September 12, 2016 at 10:06 PM

      Sorry, not sure what you’re exactly asking?

      Reply
  13. irfan says:
    October 28, 2016 at 8:02 AM

    can we use only csrf without AJAX calls?
    and where we use AJAX calls ?

    Reply
    • Niraj Shah says:
      November 6, 2016 at 7:33 PM

      You can use csrf for both. However, for ajax calls, you’ll need to pass the token in your data / form and validate in a similar way to form data.

      Reply
    • Jos Faber says:
      November 7, 2016 at 4:43 PM

      Can use both. When enabled in config its added by default to every form and checked on submit. When you want to use in AJAX or -in my case- delete urls, just add to the url as an url param and check it in the controller.

      Add to url’s with (controller):

      $this->data['token_hash'] = $this->security->get_csrf_hash();

      And (view):

      $url = 'admin/item/delete/' . $question->id . '?h='.$token_hash;

      Check in controller:

      if ( $_GET['h'] != $this->session->userdata('token_hash') ) {
      $this->session->set_flashdata('notif', array('class'=>'error', 'message'=>'Question was not deleted due to security error'));
      redirect('admin/faq/?page='.$this->input->get('page'));
      }
      $this->session->unset_userdata('token_hash');

      Reply
  14. s2y117 says:
    November 15, 2019 at 4:23 AM

    It works if it is a single row.
    From the next line, a 403 error occurs.
    Cause and Countermeasure?
    Thanks

    Reply
    • Niraj Shah says:
      November 16, 2020 at 10:32 AM

      You need to be more specific. Which part of the code works as a single line?

      Reply

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

StackExchange / StackOverflow

profile for Niraj Shah on Stack Exchange, a network of free, community-driven Q&A sites

Support Me

Buy Me a Coffee

PSN Profile

Tags

ACL Amazon Web Services Android Android 4.4 KitKat Android 5.0 Lollipop Apache Backup Bash Bug Command Line Cordova cPanel / WHM Facebook Facebook Graph API Facebook PHP SDK 4.0 Facebook Social Plugins Fan Page Flash Geolocation Google Nexus 5 Hacking HTML5 Input Sanitization iOS JavaScript jQuery Laravel 5 Laravel 5.2 Linux Mac OS NodeJS Parse PDF PHP Plugin Portfolio Review Security Server SSH SSL Sysadmin Tutorial WordPress WordPress Plugins
© 2011-2025 Niraj Shah
  • Blog
  • Portfolio
  • WordPress
  • About Me
  • Contact Me
  • Privacy Policy
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Privacy Policy