There are several functions available in CodeIgniter 4 which helps us to implement the concept of CSRF in web forms. Inside this article we will see the list of all available CSRF functions in codeigniter 4.
By the help of these functions, we implement the concept of CSRF token at header or we add at form level. So this tutorial will be very interesting to see and learn.
We have few articles on the same topic, you can learn it as well.
- Implementation of CodeIgniter 4 CSRF Token
- CodeIgniter 4 CSRF Token with Ajax Request
- How to Fix Session Fixation Session Hijacking Attack in CodeIgniter ?
Let’s get started.
CodeIgniter 4 Installation
To create a CodeIgniter 4 setup run this given command into your shell or terminal. Please make sure composer should be installed.
composer create-project codeigniter4/appstarter codeigniter-4
Assuming you have successfully installed application into your local system.
Environment (.env) Setup
When we install CodeIgniter 4, we will have env file at root. To use the environment variables means using variables at global scope we need to do env to .env
Either we can do via renaming file as simple as that. Also we can do by terminal command.
Open project in terminal
cp env .env
Above command will create a copy of env file to .env file. Now we are ready to use environment variables.
Enable Development Mode
CodeIgniter starts up in production mode by default. You need to make it in development mode to see any error if you are working with application.
Open .env file from root.
# CI_ENVIRONMENT = production
// Do it to
CI_ENVIRONMENT = development
Now application is in development mode.
What is Cross-site request forgery (CSRF) ?
Cross-Site Request Forgery (CSRF) is an attack which forces an end user (an unauthenticated user of site) to execute/run unwanted actions on a web application. These requests sometimes crash the database. This saves attacking data into database tables and execute accordingly and may down the application.
This is a normal attack which every development or even web owner needs to do it first.
In CodeIgniter 4, we have few functions available which helps to integrate a CSRF token value easily inside web forms.
Available CSRF Functions in CodeIgniter 4
There are some functions in CodeIgniter 4 which provides the functionality to work with CSRF token and web forms.
- csrf_token()
- csrf_header()
- csrf_hash()
- csrf_field()
- csrf_meta()
About csrf_token()
This function returns the name of the current CSRF token.
<?= csrf_token() ?>
It outputs csrf_test_name.
If we open .env file, search for security. We can see CSRF settings there. We can see token name into security.tokenName
#-------------------------------------------------------------------- # SECURITY #-------------------------------------------------------------------- # security.csrfProtection = 'cookie' # security.tokenName = 'csrf_token_name' # security.headerName = 'X-CSRF-TOKEN' # security.cookieName = 'csrf_cookie_name' # security.expires = 7200 # security.regenerate = true # security.redirect = true # security.samesite = 'Lax'
About csrf_header()
This function returns the name of the header for current CSRF token. Also this value we can see into above settings i.e security.headerName
<?= csrf_header() ?>
It outputs X-CSRF-TOKEN.
About csrf_hash()
This function returns the current CSRF hash value.
<?= csrf_hash() ?>
It outputs random token value 860e145a6c43bc17152ec2d164c917cb.
About csrf_field()
It returns a string with the HTML for hidden input with all required CSRF information i.e CSRF information already inserted.
<?= csrf_field() ?>
When we print the value of this, value will be printed in pattern of
<input type="hidden" name="{csrf_token}" value="{csrf_hash}">
Output
<input type="hidden" name="csrf_test_name" value="ab72dc54e83f32be021f6255280b6a09">
About csrf_meta()
It returns a string with the HTML for meta tag with all required CSRF information i.e CSRF information already inserted.
<?= csrf_meta() ?>
When we print the value of this, value will be printed in pattern of
<meta name="{csrf_header}" content="{csrf_hash}">
Output
<meta name="X-CSRF-TOKEN" content="34dc67c2bad36bf5bf910bf76c193781">
We hope this article helped you to learn about CSRF Functions in CodeIgniter 4 Tutorial in a very detailed way.
Online Web Tutor invites you to try Skillshike! Learn CakePHP, Laravel, CodeIgniter, Node Js, MySQL, Authentication, RESTful Web Services, etc into a depth level. Master the Coding Skills to Become an Expert in PHP Web Development. So, Search your favourite course and enroll now.
If you liked this article, then please subscribe to our YouTube Channel for PHP & it’s framework, WordPress, Node Js video tutorials. You can also find us on Twitter and Facebook.