[ci skip] Document get_csrf_token_name(), get_csrf_hash() (issue #715)
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index e7d2555..0555314 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -26,7 +26,7 @@
To filter data through the XSS filter use this function:
$this->security->xss_clean()
-=============================
+============================
Here is an usage example::
@@ -56,7 +56,7 @@
}
$this->security->sanitize_filename()
-=====================================
+====================================
When accepting filenames from user input, it is best to sanitize them to
prevent directory traversal and other security related issues. To do so,
@@ -76,16 +76,35 @@
Cross-site request forgery (CSRF)
=================================
-You can enable csrf protection by opening your
+You can enable CSRF protection by opening your
application/config/config.php file and setting this::
$config['csrf_protection'] = TRUE;
-If you use the :doc:`form helper <../helpers/form_helper>` the
-form_open() function will automatically insert a hidden csrf field in
-your forms.
+If you use the :doc:`form helper <../helpers/form_helper>`, then
+``form_open()`` will automatically insert a hidden csrf field in
+your forms. If not, then you can use ``csrf_get_token_name()``
+and ``csrf_get_hash()``
-Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter::
+::
+
+ $csrf = array(
+ 'name' => $this->security->csrf_get_token_name(),
+ 'hash' => $this->security->csrf_get_hash()
+ );
+
+ ...
+
+ <input type="hidden" name="<?=$csrf['name'];?>" value="<?=$csrf['hash'];?>" />
+
+Tokens may be either regenerated on every submission (default) or
+kept the same throughout the life of the CSRF cookie. The default
+regeneration of tokens provides stricter security, but may result
+in usability concerns as other tokens become invalid (back/forward
+navigation, multiple tabs/windows, asynchronous actions, etc). You
+may alter this behavior by editing the following config parameter
+
+::
$config['csrf_regeneration'] = TRUE;
@@ -95,3 +114,15 @@
$config['csrf_exclude_uris'] = array('api/person/add');
+$this->security->get_csrf_token_name()
+======================================
+
+Returns the CSRF token name, which is set by
+``$config['csrf_token_name']``.
+
+$this->security->get_csrf_hash()
+================================
+
+Returns the CSRF hash value. Useful in combination with
+``get_csrf_token_name()`` for manually building forms or
+sending valid AJAX POST requests.
\ No newline at end of file