I'm just wondering of there is any option where i can turn off CSRF in a specific controller/method. I've got another site that pings my site, but getting blocked because of the CSRF.
Is there any way i can get around this?
2
-
1You can consider to generally disable CI CSRF "protection" because it's broken. Instead know what you do and provide sanity checks on your own to be on the safe side (which you need to do anyway for the controllers in question).hakre– hakre2011-09-22 00:08:20 +00:00Commented Sep 22, 2011 at 0:08
-
6Got a link to how it is broken? first I heard is all.lsl– lsl2011-09-22 01:23:45 +00:00Commented Sep 22, 2011 at 1:23
Add a comment
|
1 Answer
Create a pre_system hook then put the following code inside your hook controller:
if(stripos($_SERVER["REQUEST_URI"],'/controller/function') !== FALSE)
{
$CFG =& load_class('Config', 'core');
$CFG->set_item('csrf_protection', FALSE);
}
1 Comment
twistedpixel
I hate to bump this but I just wanted to say that while this works, it isn't all that safe and people should be aware. For example, if your controller is api and function is dosomething you have "www.site.com/api/dosomething" disabled. But what's to stop someone going to "www.site.com/account/killkitten/api/dosomething"? CSRF disabled. Kitten killed. No?