Admin area - CSRF token protection

Update at 2017-12-22 07:58:04


CI Base default protect your application from CSRF attacks. Cross-site request forgeries are a type of malicious exploit whereby unauthorized commands are performed on behalf of an authenticated user.


CI Base hava global data generate "token" for each active user session managed by the application. This token is used to verify that the authenticated user is the one actually making the requests to the application.

Anytime you define a HTML form in your application, you should include a hidden CSRF token field in the form so that the CSRF protection middleware can validate the request. You may use the $csrf_field variable to generate the token field:

<form method="POST" action="/profile">
    <?php echo $csrf_field ?>

<!-- Or -->

<form method="POST" action="/profile">
    <input type="hidden" name="<?php echo $csrf_name ?>" value="<?php echo $csrf_token ?>" />


You can open admin/config/config.php and find with keyword 'csrf' to see CSRF configurations


| Cross Site Request Forgery
| Enables a CSRF cookie token to be set. When set to TRUE, token will be
| checked on a submitted form. If you are accepting user data, it is strongly
| recommended CSRF protection be enabled.
| 'csrf_token_name' = The token name
| 'csrf_cookie_name' = The cookie name
| 'csrf_expire' = The number in seconds the token should expire.
| 'csrf_regenerate' = Regenerate token on every submission
| 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks
$config['csrf_protection'] = true;
$config['csrf_token_name'] = 'csrf_token';
$config['csrf_cookie_name'] = 'csrf_token';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = false;
$config['csrf_exclude_uris'] = array();