summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@bofh.bg>2012-10-24 20:28:25 +0200
committerAndrey Andreev <narf@bofh.bg>2012-10-24 20:31:40 +0200
commitf795ab52dadaef20afd3a97ad4c8ed408e211dc2 (patch)
tree1f5eb143a0fd980832590b4f950fd2a260998ac3
parent2dce1ffda218456e19f28edce8b0d74122f4d55c (diff)
[ci skip] Document get_csrf_token_name(), get_csrf_hash() (issue #715)
-rw-r--r--system/core/Security.php2
-rw-r--r--user_guide_src/source/libraries/security.rst45
2 files changed, 39 insertions, 8 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 2fbc5b34c..d7c82712d 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -161,7 +161,7 @@ class CI_Security {
}
// Do the tokens exist in both the _POST and _COOKIE arrays?
- if ( ! isset($_POST[$this->_csrf_token_name]) OR ! isset($_COOKIE[$this->_csrf_cookie_name])
+ if ( ! isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])
OR $_POST[$this->_csrf_token_name] !== $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match?
{
$this->csrf_show_error();
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index e7d25555f..05553142f 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -26,7 +26,7 @@ processing since it requires a fair amount of processing overhead.
To filter data through the XSS filter use this function:
$this->security->xss_clean()
-=============================
+============================
Here is an usage example::
@@ -56,7 +56,7 @@ browser may attempt to execute.
}
$this->security->sanitize_filename()
-=====================================
+====================================
When accepting filenames from user input, it is best to sanitize them to
prevent directory traversal and other security related issues. To do so,
@@ -76,16 +76,35 @@ parameter, $relative_path to TRUE.
Cross-site request forgery (CSRF)
=================================
-You can enable csrf protection by opening your
+You can enable CSRF protection by opening your
application/config/config.php file and setting this::
$config['csrf_protection'] = TRUE;
-If you use the :doc:`form helper <../helpers/form_helper>` the
-form_open() function will automatically insert a hidden csrf field in
-your forms.
+If you use the :doc:`form helper <../helpers/form_helper>`, then
+``form_open()`` will automatically insert a hidden csrf field in
+your forms. If not, then you can use ``csrf_get_token_name()``
+and ``csrf_get_hash()``
-Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter::
+::
+
+ $csrf = array(
+ 'name' => $this->security->csrf_get_token_name(),
+ 'hash' => $this->security->csrf_get_hash()
+ );
+
+ ...
+
+ <input type="hidden" name="<?=$csrf['name'];?>" value="<?=$csrf['hash'];?>" />
+
+Tokens may be either regenerated on every submission (default) or
+kept the same throughout the life of the CSRF cookie. The default
+regeneration of tokens provides stricter security, but may result
+in usability concerns as other tokens become invalid (back/forward
+navigation, multiple tabs/windows, asynchronous actions, etc). You
+may alter this behavior by editing the following config parameter
+
+::
$config['csrf_regeneration'] = TRUE;
@@ -95,3 +114,15 @@ by editing the 'csrf_exclude_uris' config parameter::
$config['csrf_exclude_uris'] = array('api/person/add');
+$this->security->get_csrf_token_name()
+======================================
+
+Returns the CSRF token name, which is set by
+``$config['csrf_token_name']``.
+
+$this->security->get_csrf_hash()
+================================
+
+Returns the CSRF hash value. Useful in combination with
+``get_csrf_token_name()`` for manually building forms or
+sending valid AJAX POST requests. \ No newline at end of file