codeigniter_tutorial
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CodeIgniter<br />
CSRF Prevention<br />
CSRF stands for cross-site request forgery. You can prevent this attack by enabling it in<br />
the application/config/config.php file as shown below.<br />
$config['csrf_protection']=TRUE;<br />
When you are creating form using form_open() function, it will automatically insert a<br />
CSRF as hidden field. You can also manually add the CSRF using the<br />
get_csrf_token_name() and get_csrf_hash() function. The<br />
get_csrf_token_name() function will return the name of the CSRF and<br />
get_csrf_hash() will return the hash value of CSRF.<br />
The CSRF token can be regenerated every time for submission or you can also keep it<br />
same throughout the life of CSRF cookie. By setting the value TRUE, in config array with<br />
key ‘csrf_regenerate’ will regenerate token as shown below.<br />
$config['csrf_regenerate']=TRUE;<br />
You can also whitelist URLs from CSRF protection by setting it in the config array using<br />
the key ‘csrf_exclude_uris’ as shown below. You can also use regular expression.<br />
$config['csrf_exclude_uris']=array('api/person/add');<br />
Password Handling<br />
Many developers do not know how to handle password in web applications, which is<br />
probably why numerous hackers find it so easy to break into the systems. One should<br />
keep in mind the following points while handling passwords:<br />
<br />
<br />
<br />
<br />
<br />
<br />
DO NOT store passwords in plain-text format.<br />
Always hash your passwords.<br />
DO NOT use Base64 or similar encoding for storing passwords.<br />
DO NOT use weak or broken hashing algorithms like MD5 or SHA1. Only use<br />
strong password hashing algorithms like BCrypt, which is used in PHP’s own<br />
Password Hashing functions.<br />
DO NOT ever display or send a password in plain-text format.<br />
DO NOT put unnecessary limits on your users’ passwords.<br />
90