CSRF using Angular.js with PHP CodeIgniter backend

Question

I am trying to implement CSRF with Angular.js and CodeIgniter, however, I am not sure if my method is secure.

When Angular sends a post, put, or delete request, I have a custom security class in PHP check $_SERVER['HTTP_COOKIE'] from the request. If it includes the CSRF cookie, I verify it against the value in the $_COOKIE variable.

I am not sure if these are just always the same values and not actually doing anything or what. Is there a better way I should be handling this?

Answer 1

I have not worked with angular JS but with codeigniter. For csrf protection codeigniter provides security class for providing the security token(or the csrf cookie) for respective requests either via form. Now you only need to enable this feature under the config file:

Location: application/config/config.php
Default Code: $config['csrf_protection'] = FALSE;
Change it to: $config['csrf_protection'] = TRUE;

By making it true, it automatically inserts a security token in form, that is verified at the server end. You can change the token name & cookie name in the same file via below config settings:

$config['csrf_token_name']
$config['csrf_cookie_name']

One important thing is that, if you refresh the page, security token doesn't change, or think it as same security token for current user session. This is somewhat drawback I have found with Codeigniter. If you want same implementation with ajax, either you need to add manual code for passing the token name or value or use ajaxSetup for all requests.

By this way you can achieve the csrf protection at a level, if you want some more security then you can check for httponly cookies or ssl deployemnt subject to your project need.