Allow redirecting on CSRF failures. Fixes #1012

codeigniter4 · Jul 9, 2018 · 107753d · 107753d
1 parent 106a37d
commit 107753d
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 1 deletion.
diff --git a/application/Config/App.php b/application/Config/App.php
@@ -240,11 +240,13 @@ class App extends BaseConfig
 	| CSRFCookieName  = The cookie name
 	| CSRFExpire      = The number in seconds the token should expire.
 	| CSRFRegenerate  = Regenerate token on every submission
+	| CSRFRedirect    = Redirect to previous page with error on failure
 	*/
 	public $CSRFTokenName   = 'csrf_test_name';
 	public $CSRFCookieName  = 'csrf_cookie_name';
 	public $CSRFExpire      = 7200;
 	public $CSRFRegenerate  = true;
+	public $CSRFRedirect    = true;
 
 	/*
 	|--------------------------------------------------------------------------

diff --git a/application/Filters/CSRF.php b/application/Filters/CSRF.php
@@ -3,6 +3,7 @@
 use CodeIgniter\Filters\FilterInterface;
 use CodeIgniter\HTTP\RequestInterface;
 use CodeIgniter\HTTP\ResponseInterface;
+use CodeIgniter\Security\Exceptions\SecurityException;
 use Config\Services;
 
 class CSRF implements FilterInterface
@@ -30,7 +31,19 @@ public function before(RequestInterface $request)
 
 		$security = Services::security();
 
-		$security->CSRFVerify($request);
+		try
+		{
+			$security->CSRFVerify($request);
+		}
+		catch (SecurityException $e)
+		{
+			if (config('App')->CSRFRedirect && ! $request->isAJAX())
+			{
+				return redirect()->back()->with('error', $e->getMessage());
+			}
+
+			throw $e;
+		}
 	}
 
 	//--------------------------------------------------------------------

diff --git a/tests/_support/Config/MockAppConfig.php b/tests/_support/Config/MockAppConfig.php
@@ -20,6 +20,7 @@ class MockAppConfig
 	public $CSRFExpire      = 7200;
 	public $CSRFRegenerate  = true;
 	public $CSRFExcludeURIs = ['http://example.com'];
+	public $CSRFRedirect    = false;
 
 	public $CSPEnabled = false;
 

diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
@@ -73,6 +73,15 @@ may alter this behavior by editing the following config parameter
 
 	public $CSRFRegenerate  = true;
 
+When a request fails the CSRF validation check, it will redirect to the previous page by default,
+setting an ``error`` flash message that you can display to the end user. This provides a nicer experience
+than simply crashing. This can be turned off by editing the ``$CSRFRedirect`` value in
+**application/Config/App.php**::
+
+	public $CSRFRedirect = false;
+
+Even when the redirect value is **true**, AJAX calls will not redirect, but will throw an error. 
+
 *********************
 Other Helpful Methods
 *********************