About Lesson
You can enable CSRF protection by modifying your application/config/config.php file in the following way:
$config['csrf_protection'] = TRUE;
If you use the form helper, then form_open()
the function will automatically insert a hidden csrf field in your forms. If not, then you can use get_csrf_token_name()
and get_csrf_hash()
for csrf protection.
<input type="hidden" name="<?php echo $csrf['name'];?>" value="<?php echo $csrf['hash'];?>" />
By default regeneration of tokens provides stricter security, but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You can alter this behavior by editing the following config parameter
$config['csrf_regenerate'] = TRUE;