CSRF (Cross-site Request Forgery) is one of the types of security attacks web to get or send a request to be executed upon the victim, without the authority he wants. CSRF attacks can occur because there is no protection mechanism security token (token request) on a website, so an attacker can send a request (for example: submit a form) illegally IE not via the form on the website directly. If the victim is not careful, the attack can be successful CSRF is done by forcing the user to do the request change data such as personal profile, email addresses, even more dangerous conduct transactions transfer funds.
For it is important to apply the CSRF protection mechanism (CSRF Protection) on our website. This time we will discuss setting the CSRF Protection in web-based application Codeigniter 3.0. The mechanism of the CSRF Protection is actually already in the Codeigniter framework since version 2. x. x, but there are several version of Codeigniter 3.0 additional settings that are provided to enhance the level of security.
Configuration.
To enable CSRF Protection in Codeigniter 3.0 we need to change the settings in the file/application/config/config.php
$config['csrf_protection'] = TRUE; // SET TRUE TO ENABLE CSRF PROTECTION $config['csrf_token_name'] = 'csrf_test_name'; // NAME CSRF TOKEN TO BE USED $config['csrf_cookie_name'] = 'csrf_cookie_name'; // NAME CSRF COOKIE TO BE USED $config['csrf_expire'] = 7200; // CSRF TOKEN EXPIRED TIME PERIOD (IN SECONDS) $config['csrf_regenerate'] = TRUE; // IF TRUE THEN THE CSRF TOKEN WILL BE REPEATED TO GENERATE EACH IN REQUEST $config['csrf_exclude_uris'] = array(); // THE ARRAY CONTAINS A LIST OF URIS THAT DO NOT USE CSRF PROTECTION
The above settings are the settings of the CSRF Protection in Codeigniter 3.0. There are some additional configuration that does not exist in Codeigniter 2. x. x as $config [' csrf_regenerate '] and $config [' csrf_exclude_uris ']. With additional settings that are provided in the Codeigniter 3.0 we can easily set up any Action in a Controller that does not need to apply a CSRF Protection, for example, Action in the form of AJAX. As well as additional configuration $config [' csrf_regenerate '] which allows the CSRF Token is generated for every request that is made, so that the applications become more secure.
Form.
With enable CSRF Protection in Codeigniter 3.0 we need to modify the form that we created using the form helper from Codeigniter. This is necessary because Codeigniter will add automatically the input token on any form that we make.
echo form_open(site_url('register/index'), array('class' => 'form-horizontal', 'role' => 'form');
. . . . .
echo form_close();
May be quite troublesome if it should change the form we have made using the form helper. Another alternative that can be done is to add a hidden input fruit that contains a CSRF Token in every form we have made.
AJAX Request.
With enable CSRF Protection then for all POST request must include the CSRF token in order to request votes valid. So too for the POST request in the form of AJAX. There are two ways that can be done to address this. The first of these we can add the action or function the controller in the form of an AJAX request into the Configuration $config [' csrf_exclude_uris '], so the CSRF Protection will be on leave for the action or function. The second one we might add CSRF Token for all AJAX POST request we will do. If AJAX request we do using jquery, we can use the function $. ajaxSetup to automatically include the CSRF Token in all AJAX requests that we do.
var csfrData = {};
csfrData['security->get_csrf_token_name(); ?>'] = 'security->get_csrf_hash(); ?>';
$.ajaxSetup({
data: csfrData
});
Or we could also add CSRF Tokens one by one in the AJAX request we do.
$.ajax({
url: '',
type: 'POST',
dataType: 'json',
data: {
data: 'data',
security->get_csrf_token_name(); ?>: 'security->get_csrf_hash(); ?>'
},
});
1 comments:
commentsYour blog has given me that thing which I never expect to get from all over the websites. Nice post guys!
ReplyMelbourne Web Hosting