What are CSRF Functions in CodeIgniter 4 Tutorial

Share this Article
Reading Time: 5 minutes
1,137 Views

There are several functions available in CodeIgniter 4 which helps us to implement the concept of CSRF in web forms. Inside this article we will see the list of all available CSRF functions in codeigniter 4.

By the help of these functions, we implement the concept of CSRF token at header or we add at form level. So this tutorial will be very interesting to see and learn.

We have few articles on the same topic, you can learn it as well.

Note*: For this article, CodeIgniter v4.1 setup has been installed. May be when you are seeing, version will be updated. CodeIgniter 4.x still is in development mode.

Let’s get started.


Download & Install CodeIgniter 4 Setup

We need to download & install CodeIgniter 4 application setup to system. To set application we have multiple options to proceed.

Here are the following ways to download and install CodeIgniter 4 –

  • Manual Download
  • Composer Installation
  • Clone Github repository of CodeIgniter 4

Complete introduction of CodeIgniter 4 basics – Click here to go. After going through this article you can easily download & install setup.

Here is the command to install via composer –

$ composer create-project codeigniter4/appstarter codeigniter-4

Assuming you have successfully installed application into your local system.


Turn Development Mode On

When we install CodeIgniter 4, we have env file at root. To use the environment variables means using variables at global scope we need to do env to .env

Open project in terminal

$ cp env .env

Above command will create a copy of env file to .env file. Now we are ready to use environment variables.

CodeIgniter starts up in production mode by default. Let’s do it in development mode. So that while working if we get any error then error will show up.

# CI_ENVIRONMENT = production

// Do it to 

CI_ENVIRONMENT = development

Now application is in development mode.


What is Cross-site request forgery (CSRF) ?

Cross-Site Request Forgery (CSRF) is an attack which forces an end user (an unauthenticated user of site) to execute/run unwanted actions on a web application. These requests sometimes crash the database. This saves attacking data into database tables and execute accordingly and may down the application.

This is a normal attack which every development or even web owner needs to do it first.

In CodeIgniter 4, we have few functions available which helps to integrate a CSRF token value easily inside web forms.


Available CSRF Functions in CodeIgniter 4

There are some functions in CodeIgniter 4 which provides the functionality to work with CSRF token and web forms.

  • csrf_token()
  • csrf_header()
  • csrf_hash()
  • csrf_field()
  • csrf_meta()

About csrf_token()

This function returns the name of the current CSRF token.

<?= csrf_token() ?>

It outputs csrf_test_name.

If we open .env file, search for security. We can see CSRF settings there. We can see token name into security.tokenName

#--------------------------------------------------------------------
# SECURITY
#--------------------------------------------------------------------

# security.tokenName  = 'csrf_token_name'
# security.headerName = 'X-CSRF-TOKEN'
# security.cookieName = 'csrf_cookie_name'
# security.expires    = 7200
# security.regenerate = true
# security.redirect   = true
# security.samesite   = 'Lax'

About csrf_header()

This function returns the name of the header for current CSRF token. Also this value we can see into above settings i.e security.headerName

<?= csrf_header() ?>

It outputs X-CSRF-TOKEN.

About csrf_hash()

This function returns the current CSRF hash value.

<?= csrf_hash() ?>

It outputs random token value 860e145a6c43bc17152ec2d164c917cb.

About csrf_field()

It returns a string with the HTML for hidden input with all required CSRF information i.e CSRF information already inserted.

<?= csrf_field() ?>

When we print the value of this, value will be printed in pattern of

<input type="hidden" name="{csrf_token}" value="{csrf_hash}">

Output

<input type="hidden" name="csrf_test_name" value="ab72dc54e83f32be021f6255280b6a09">

About csrf_meta()

It returns a string with the HTML for meta tag with all required CSRF information i.e CSRF information already inserted.

<?= csrf_meta() ?>

When we print the value of this, value will be printed in pattern of

<meta name="{csrf_header}" content="{csrf_hash}">

Output

<meta name="X-CSRF-TOKEN" content="34dc67c2bad36bf5bf910bf76c193781">

We hope this article helped you to learn about CSRF Functions in CodeIgniter 4 Tutorial in a very detailed way.

If you liked this article, then please subscribe to our YouTube Channel for PHP & it’s framework, WordPress, Node Js video tutorials. You can also find us on Twitter and Facebook.

Find More on CodeIgniter 4 here