Jens Segers on

Codeigniter 2: CSRF Protection

Codeigniter 2.0 adds an new security feature to prevent CSRF attacks. Cross Site Request Forgery (CSRF) is one of the most common vulnerabilities in websites and web applications.

Cross Site Request Forgery

CSRF

A CSRF attack works by including a link or script in a page that accesses a website to which the user is known (or is supposed) to have been authenticated. For example, one user called John has an account on a vulnerable website called super-bank.com but is also a frequent visitor of super-forum.com. Another user, Jane has sent John a message on super-forum.com with a HTML image element that references an action on John's bank's website (rather than an image file):

<img src="http://super-bank.com/withdraw?account=john&amount=1000000&for=jane" />

If John's bank's website keeps his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by John's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without John's approval.

The following characteristics are common to CSRF:

  • Involve sites that rely on a user's identity
  • Exploit the site's trust in that identity
  • Trick the user's browser into sending HTTP requests to a target site
  • Involve HTTP requests that have side effects

Codeigniter 2

There are several ways to protect your website against CSRF. The most common one, which is also used by CodeIgniter 2, includes a hidden field with an CSRF token in each form on the website. The CSRF token is a random value that changes with each HTTP request sent. As soon as it is inserted in the website forms, it gets saved in the user’s session as well. When the form is submitted, the website checks if the submitted CSRF token equals the one saved in the session.

To enable Codeigniter's built in CSRF protection open up your config.php and change the following values:

$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_test_name'; //The token (form) name
$config['csrf_cookie_name'] = 'csrf_cookie_name'; //The cookie name
$config['csrf_expire'] = 7200; //The number in seconds the token should expire.

The Security class generates a unique value for the CSRF token with each HTTP request. The only thing left to do now is to include the hidden form field on your website by using the form helper function form_open(). This function will not only create the form opening tag but will also include the hidden input field containing the CSRF token. After submitting the form the Security class will now verify the the received token.

Your form should look like this:

<?php echo form_open('next_controller'); ?>
  <input type="text" name="input" />
  <button type="submit">send</button>
</form>

And Codeigniter will add this field:

<input type="hidden" name="csrf_test_name" value="83414e02ed14902b12c37317d9d490e3" />

The CSRF protection feature is disabled by default, and I recommend you to enable it if you are using Codigniter 2 and rely on user input data. This enhances your website's security, is really easy to use and does not need any code editing if you are upgrading from Codeigniter 1.7 (and using the form helper). If you are not upgrading to Codeigniter 2 and want to protect your site against CSRF then I reccomend you following this excellent net.tutsplus tutorial.

http://en.wikipedia.org/wiki/Cross-site_request_forgery
http://codeigniter.com

Webmentions

Tweet about this blog post and you will appear below!