2

I set the CSRF protection option to TRUE and use form_open(). The hidden input shows successfully. However, if I submit the form, then press "back" and submit again, it allows the form to be submitted again! Is there something wrong with the codeigniter settings, or is it supposed to be like this?

Now, I am finding myself to be implementing my own token system that checks the hidden post input with a session variable. I feel like I'm also implementing CSRF on my own now. If I do it my way, is there any need still for CI's implementation?

timetofly
  • 2,957
  • 6
  • 36
  • 76

1 Answers1

2

Setting CSRF to true will automatically add the random hash to your form_open() but it is only regenerated as necessary and depending on what browser you use will determine the behavior of the back button. If it goes back with no refresh then your hash should be incorrect, if it sends an http request then it would update the token.

What you mention here is not truly a glitch because CSRF is working as intended to prevent cross site forgery but the problem is something else which most fix with a Post/Redirect/Get (PRG pattern) This way hitting back would either redirect or have an invalid CSRF and allows you to flush the data from the session or post if you are not using the flash data.

dasper
  • 692
  • 4
  • 13
  • Not sure I understand you 100%. Even with a redirect, I can use the brower's history to go back two pages instead of one, back to the original form. From there I can submit again, and the current CSRF implentation does not stop this from happening. So I'm back to the original problem again. Am I missing something? – timetofly Feb 27 '13 at 20:20
  • Use of the back button is not a cross-site request forgery so the answer to your question "Does CodeIgniter's CSRF protection not prevent multiple form submits?" is No, because hitting the back button is not CSRF. You are on the right track either using session or flashdata to help and you would have to do this in CI, or Cake, or Yii or Laravel to the best of my knowledge as well. The criteria for how and when you want to enable/disable access to the form can vary from form to form so I would not have expected this to be in the framework IMO. – dasper Feb 27 '13 at 22:19
  • Yes, that does make sense, thank you. If I do go that route, using sessions (like this: http://stackoverflow.com/a/4614123/371699), is there still any need for using CodeIgniter's built-in CSRF protection? Surely going this route also prevents any request that does not have the proper token? – timetofly Feb 28 '13 at 15:45
  • Correct. The nice thing about CI's is just having it automatic on your forms but you can also create your own library or extend the ones built in so it will auto load. There may already be on on Composer you could integrate but I am not sure. – dasper Feb 28 '13 at 16:56