summaryrefslogtreecommitdiffstats
path: root/user_guide_src/source/libraries/security.rst
diff options
context:
space:
mode:
authorEric Roberts <eric@cryode.com>2012-12-12 14:02:11 +0100
committerEric Roberts <eric@cryode.com>2012-12-12 14:02:11 +0100
commitb9e35f21e1c70b6aa67c47e9244ed83195abc00a (patch)
tree64f82db362deeac48cc20d1d1afd80651f36f5a5 /user_guide_src/source/libraries/security.rst
parent0b05705c52c3bca7f9b3aee657c888e8ad1ff422 (diff)
parent545a7c86701875e1412bcde316e9bcc76d9a23a0 (diff)
Merge branch 'refs/heads/develop' into feature/form_error_msgs
Conflicts: system/language/english/form_validation_lang.php user_guide_src/source/libraries/form_validation.rst Signed-off-by: Eric Roberts <eric@cryode.com>
Diffstat (limited to 'user_guide_src/source/libraries/security.rst')
-rw-r--r--user_guide_src/source/libraries/security.rst45
1 files changed, 38 insertions, 7 deletions
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index e7d25555f..05553142f 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -26,7 +26,7 @@ processing since it requires a fair amount of processing overhead.
To filter data through the XSS filter use this function:
$this->security->xss_clean()
-=============================
+============================
Here is an usage example::
@@ -56,7 +56,7 @@ browser may attempt to execute.
}
$this->security->sanitize_filename()
-=====================================
+====================================
When accepting filenames from user input, it is best to sanitize them to
prevent directory traversal and other security related issues. To do so,
@@ -76,16 +76,35 @@ parameter, $relative_path to TRUE.
Cross-site request forgery (CSRF)
=================================
-You can enable csrf protection by opening your
+You can enable CSRF protection by opening your
application/config/config.php file and setting this::
$config['csrf_protection'] = TRUE;
-If you use the :doc:`form helper <../helpers/form_helper>` the
-form_open() function will automatically insert a hidden csrf field in
-your forms.
+If you use the :doc:`form helper <../helpers/form_helper>`, then
+``form_open()`` will automatically insert a hidden csrf field in
+your forms. If not, then you can use ``csrf_get_token_name()``
+and ``csrf_get_hash()``
-Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter::
+::
+
+ $csrf = array(
+ 'name' => $this->security->csrf_get_token_name(),
+ 'hash' => $this->security->csrf_get_hash()
+ );
+
+ ...
+
+ <input type="hidden" name="<?=$csrf['name'];?>" value="<?=$csrf['hash'];?>" />
+
+Tokens may be either regenerated on every submission (default) or
+kept the same throughout the life of the CSRF cookie. The default
+regeneration of tokens provides stricter security, but may result
+in usability concerns as other tokens become invalid (back/forward
+navigation, multiple tabs/windows, asynchronous actions, etc). You
+may alter this behavior by editing the following config parameter
+
+::
$config['csrf_regeneration'] = TRUE;
@@ -95,3 +114,15 @@ by editing the 'csrf_exclude_uris' config parameter::
$config['csrf_exclude_uris'] = array('api/person/add');
+$this->security->get_csrf_token_name()
+======================================
+
+Returns the CSRF token name, which is set by
+``$config['csrf_token_name']``.
+
+$this->security->get_csrf_hash()
+================================
+
+Returns the CSRF hash value. Useful in combination with
+``get_csrf_token_name()`` for manually building forms or
+sending valid AJAX POST requests. \ No newline at end of file