summaryrefslogtreecommitdiffstats
path: root/user_guide_src/source/libraries/security.rst
diff options
context:
space:
mode:
authorJonatas Miguel <jonatas.df.miguel@gmail.com>2012-10-25 13:19:17 +0200
committerJonatas Miguel <jonatas.df.miguel@gmail.com>2012-10-25 13:19:17 +0200
commit33b321b92b6df59cc5cf96a4f739636cdc537115 (patch)
tree787efffdebb8ae2e76fcea2811e40d504d09dd19 /user_guide_src/source/libraries/security.rst
parentf73bc3ef4ad28c13c24db6eff8adda141adef01d (diff)
parente47425844e84d54c659280c04f450a3526b4e09d (diff)
Merge branch 'develop' of git://github.com/EllisLab/CodeIgniter into develop
Diffstat (limited to 'user_guide_src/source/libraries/security.rst')
-rw-r--r--user_guide_src/source/libraries/security.rst45
1 files changed, 38 insertions, 7 deletions
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index e7d25555f..05553142f 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -26,7 +26,7 @@ processing since it requires a fair amount of processing overhead.
To filter data through the XSS filter use this function:
$this->security->xss_clean()
-=============================
+============================
Here is an usage example::
@@ -56,7 +56,7 @@ browser may attempt to execute.
}
$this->security->sanitize_filename()
-=====================================
+====================================
When accepting filenames from user input, it is best to sanitize them to
prevent directory traversal and other security related issues. To do so,
@@ -76,16 +76,35 @@ parameter, $relative_path to TRUE.
Cross-site request forgery (CSRF)
=================================
-You can enable csrf protection by opening your
+You can enable CSRF protection by opening your
application/config/config.php file and setting this::
$config['csrf_protection'] = TRUE;
-If you use the :doc:`form helper <../helpers/form_helper>` the
-form_open() function will automatically insert a hidden csrf field in
-your forms.
+If you use the :doc:`form helper <../helpers/form_helper>`, then
+``form_open()`` will automatically insert a hidden csrf field in
+your forms. If not, then you can use ``csrf_get_token_name()``
+and ``csrf_get_hash()``
-Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter::
+::
+
+ $csrf = array(
+ 'name' => $this->security->csrf_get_token_name(),
+ 'hash' => $this->security->csrf_get_hash()
+ );
+
+ ...
+
+ <input type="hidden" name="<?=$csrf['name'];?>" value="<?=$csrf['hash'];?>" />
+
+Tokens may be either regenerated on every submission (default) or
+kept the same throughout the life of the CSRF cookie. The default
+regeneration of tokens provides stricter security, but may result
+in usability concerns as other tokens become invalid (back/forward
+navigation, multiple tabs/windows, asynchronous actions, etc). You
+may alter this behavior by editing the following config parameter
+
+::
$config['csrf_regeneration'] = TRUE;
@@ -95,3 +114,15 @@ by editing the 'csrf_exclude_uris' config parameter::
$config['csrf_exclude_uris'] = array('api/person/add');
+$this->security->get_csrf_token_name()
+======================================
+
+Returns the CSRF token name, which is set by
+``$config['csrf_token_name']``.
+
+$this->security->get_csrf_hash()
+================================
+
+Returns the CSRF hash value. Useful in combination with
+``get_csrf_token_name()`` for manually building forms or
+sending valid AJAX POST requests. \ No newline at end of file