I am creating a web app as well as android application. For website i am using code igniter in which i have enabled as:
$config['csrf_protection']=TRUE;
now when a user tries to login from android application (which also uses that login) android can't query the server since android app does not have a csrf token. I don't want to remove csrf protection. is there another way to solve this?
When csrf protection is on in codeigniter, codeigniter check every form submission if there was any value of crsf hash key with the name of csrf token, so you have to submit every form with the csrf data.
Make a function like
csrf_details(){
$csrf = array(
'name' => $this->security->get_csrf_token_name(),
'hash' => $this->security->get_csrf_hash()
);
echo json_encode($csrf);
}
get those details with curl or something like that on android by below link http://domain.name/controller/csrf_details
put the value in a variable
$details = file_get_contents(http://domain.name/controller/csrf_details);
make form like this
<input type="hidden" name="<?php echo $details['name']?>" value="<?php echo $details['hash']?>"/>
when you gonna submit this form this hash value will be submitted with the formdata as csrf token