I know that Codeigniter has a very useful security class which can prevent CSRF/XSRF if you use the form helpers, but since the CI url structure calls a lot of functions pretty much directly, how can I prevent CSRF for things like /action/logout without having an additional confirmation form like SE has?
Ideas I’ve had:
- Check page referrer
- Check requested MIME type (even possible?) (for image CSRF such as
<img src="http://example.com/action/logout" />) - Make all actions part of a form (not preferable)
- Include the CSRF token in the page URL (ugly and very bad, users like to copy and paste urls without regard for session IDs stored or other private information)
I won’t bother protecting things like /account/view/1/cyclone/ since it doesn’t perform an action and would at most be a waste of bandwidth.
Granted, I do know that some people like to code things to automate their website usage and I respect that, which is why I’ll be creating an API for performing actions via code or automatically.
As a general rule, any form request that performs an action should use
POST. For all elseGETis permitted. Using POST will definitely help. I believe you can also include the token as a hidden field in the form instead of an ugly string in the URL. As for checking the requested MIME type, this is not possible. Do a print_r($_SERVER) and in there is basically everything you get from the user as well as server side stuff.