开发者

Prevent CSRF on things which aren't part of forms in codeigniter

I know that Codeigniter has a very useful security class which can prevent CSRF/XSRF if you use the form helpers, but since the CI url structure calls a lot of functions pretty much directly, how can I prevent CSRF for things like /action/logout without having an additional confirmation form like SE has?

Ideas I've had:

  • Check page referrer
  • Check requested MIME type (even possible?) (for image CSRF such as <img src="http://example.com/action/logout" />)
  • Make all actions part of a form (not preferable)
  • Include the CSRF token in the page URL (ugly and very bad, users like to copy and paste urls without regard for session IDs stored or other private information)

I won't bother protecting things like /account/view/1/cyclone/ since it doesn't perform an action and would at most be a waste of bandwidth.

Granted, I do know that some people like to code things to automate their we开发者_如何学运维bsite usage and I respect that, which is why I'll be creating an API for performing actions via code or automatically.


As a general rule, any form request that performs an action should use POST. For all else GET is permitted. Using POST will definitely help. I believe you can also include the token as a hidden field in the form instead of an ugly string in the URL. As for checking the requested MIME type, this is not possible. Do a print_r($_SERVER) and in there is basically everything you get from the user as well as server side stuff.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜