Upgrade Security
Documentations
Note
If you use the Form Helper and enable the CSRF filter globally, then form_open()
will automatically insert a hidden CSRF field in your forms. So you do not have to upgrade this by yourself.
What has been changed
The method to implement CSRF tokens to HTML forms has been changed.
Upgrade Guide
To enable CSRF protection in CI4 you have to enable it in app/Config/Filters.php:
<?php namespace Config; use CodeIgniter\Config\BaseConfig; class Filters extends BaseConfig { // ... public $globals = [ 'before' => [ // 'honeypot', 'csrf', ], ]; // ... }
Within your HTML forms you have to remove the CSRF input field which looks similar to
<input type="hidden" name="<?= $csrf['name'] ?>" value="<?= $csrf['hash'] ?>" />
.Now, within your HTML forms you have to add
<?= csrf_field() ?>
somewhere in the form body, unless you are usingform_open()
.
Code Example
CodeIgniter Version 3.x
<?php
$csrf = array(
'name' => $this->security->get_csrf_token_name(),
'hash' => $this->security->get_csrf_hash()
);
?>
<form>
<input name="name" type="text">
<input name="email" type="text">
<input name="password" type="password">
<input type="hidden" name="<?= $csrf['name'] ?>" value="<?= $csrf['hash'] ?>">
<input type="submit" value="Save">
</form>
CodeIgniter Version 4.x
<form>
<input name="name" type="text">
<input name="email" type="text">
<input name="password" type="password">
<?= csrf_field() ?>
<input type="submit" value="Save">
</form>