Protect a CodeIgniter Application Against CSRF

CSRF stands for Cross Site Request Forgery. Here we will learn about “How simply protect the CodeIgniter application against CSRF attack”.

CodeIgniter comes with Cross Site Scripting prevention filter, which identifies commonly used techniques to trigger JavaScript or other types of code that attempt to hack cookies or do other harmful things.

What is CSRF Attack?

The attacker is created one fack form like “Search Form” or “Login Form”. That form has some hidden input field and some harmful data. Now attacker forced to logged-in user’s browser to send fake HTTP request including user’s session, cookie and other authentication information to a web application. This form not used attacker’s site to perform the operation, rather then it’s come to your site and perform the operation! Since your website will trust that the form is genuine, it goes through and executes the requested actions.

Now think a user is logged into your website and he/she redirected to attacker’s website for some reason. The attacker’s form could point to your account deletion form on your site. If the user performs a “search” on the attackers’ site, his account will then be deleted without him knowing.

How To Protect The CodeIgniter Application Against CSRF Attack ?

Solution : Token Method

If You want To protect your website against CSRF attack there is one solution, To create TOKEN on every HTTP request and connect both HTTP request and submitting the form. Many ways to do this task but in CodeIgniter used hidden field mechanism which is called CSRF TOKEN. CSRF TOKEN generating a unique token on every HTTP request sent.

CSRF TOKEN exists on a website form, It’s also get saved on user’s session. When the form is submitted, the website matches both the Tokens [Submitted Token and one saved in session]. If both are matched request is made authorized. The token value changes on every page load, So it’s hard for an attacker to identify current Token value.

How to ENABLE CSRF Protection?

For enable CSRF Protection goto “application/config” and open “config.php” file. Change following parameters TRUE from FALSE.

How to generate CSRF token?

To make every token unique you need to generate CSRF Token at the time of a new request. Implement name and value of the CSRF Token at the time of object creation. Refer following code for Token generating.

The main functions for the CSRF Token matching.

In this function first checks the values of Cookie set or not. If Cookies value is set then used that value and match it with website token. Each request would overwrite the previous request.

Whenever the form is submitted the function will call every time. If the request is not POST request then set the CSRF Cookie and if a request is POST request then compare Tokens value with a cookie and generate the new token in case there isn’t one. Inject the token into all forms using CodeIgniter form_open() function.


So here we have learned about how to protect the CodeIgniter application against CSRF attack. There are many other methods are also available for generating CSRF Token. Please feel free to comment and ask us for any query, If you found something wrong or want to contribute please contact us.