In the newish CodeIgniter v3, CSRF tokens are only valid once. As a result, I'm having some trouble dealing with multiple tabs:
Step 4 will results in a CSRF error. Obviously this is not ideal... How is onemeant to solve this?
There is no need to regenerate the CSRF token upon each form submission. There is little security benefit - if the attacker could retrieve the token from your page then they already have won. This will enable your site to run cross-tabs without error.
See this page for some background on the security aspect: Why [you shouldn't] refresh CSRF token per form request?.
v3 uses a configuration item named csrf_regenerate. Set this to FALSE to prevent regeneration after each request.
The code CodeIgniter uses is discussed in this post: CSRF Protection in CodeIgniter 2.0: A closer look. The relevant code is below:
function csrf_verify()
{
// If no POST data exists we will set the CSRF cookie
if (count($_POST) == 0)
{
return $this>csrf_set_cookie();
}
// Do the tokens exist in both the _POST and _COOKIE arrays?
if ( ! isset($_POST[$this->csrf_token_name]) OR
! isset($_COOKIE[$this->csrf_cookie_name]) )
{
$this->csrf_show_error();
}
// Do the tokens match?
if ( $_POST[$this->csrf_token_name]
!= $_COOKIE[$this->csrf_cookie_name] )
{
$this->csrf_show_error();
}
// We kill this since we're done and we don't
// want to polute the _POST array
unset($_POST[$this->csrf_token_name]);
// Re-generate CSRF Token and Cookie
unset($_COOKIE[$this->csrf_cookie_name]);
$this->_csrf_set_hash();
$this->csrf_set_cookie();
log_message('debug', "CSRF token verified ");
}
Simply remove the following code from the function:
// Re-generate CSRF Token and Cookie
unset($_COOKIE[$this->csrf_cookie_name]);
$this->_csrf_set_hash();
$this->csrf_set_cookie();