I've implemented Janrain Open ID on my Codeigniter 2.0 website. It was working great until I enabled CSRF protection in my codeigniter config file.
I read up on it and it seems that in all my forms on my website I should include a hidden form element containing a token, which is then verified against a cookie token after the post is read from the receiving page.
This is all fine and dandy, but where I'm a bit stuck is when I try to log into my site now using OpenID (of which the login form comes from an iframe that is hosted on janrain.com) I cannot include any sort of hidden post values because I have no control over what the form looks like, and can only supply a return url so that janrain knows what page to return me to.
How can I get my CSRF token to submit with the form if the form is in an iframe which I don't control?
Got it solved.
I ended up sending the iframe my return URL of which I included the CSRF token as part of the URL. When Janrain returns to my return URL, as Codeigniter goes through the security check inside Security::csrf_verify() I do a little check against the URL to see if my tokens match (unfortunately I wasn't able to use CI libraries for some reason so I ended up parsing the URL myself using explode('/', $_SERVER['REQUEST_URI'])). If I find a match in the URL to my csrf cookie token then we're all good and I don't check against the POST variables which Codeigniter would normally be doing.