ikhattab/csrf

## csrf
I know you protected forms from CSRF as you are already using CI 2 but what about actions links which depends on GET

links like 'site_name/users/logout' or even worse 'site_name/admin/news/categories/delete/1'

what if user is logged in and visits a malicious link sent by attacker for page contains something like

<img src="site_name/admin/news/categories/delete/1" /> as user is already logged in there will
be no problem and he'll have his category with id "1" deleted

I think we shouldn't rely on GET for actions. GET is only for displaying data

I think we can solve the problem using one of these two ways

1-I like what twitter makes to handle this issue I'll talk about logout link in the home page "old version" as an example

they present there markup for logout link something like <a  onclick="document.getElementById('sign_out_form').submit(); return false;" href="/logout">Sign out</a>

and they have sign_out_form form at the top of page something like

<form style="display: none;" action="/sessions/destroy" id="sign_out_form" method="post">
        <input type="hidden" value="SomeRandomToken" name="authenticity_token">
      </form>

so a typical scenario when user click logout link as it has onclick event binded to it. he actually submits sign_out_form  which have authenticity_token input field in it to protect user from csrf

but what if user disabled JavaScript in his browser the link won't have onclick event binded to it and will perform the default action "taking user to the value in href attribute" which in this case /logout

logout page have signout form in it with the same authenticity_token input field hidden for user to submit,  so twitter can check for the value of authenticity_token

2-another way we could append token in the url of action link but I don't like this way ( ugly URLs and relying on GET for actions )

Finally I rally admire your work on pyrocms and learn a lot of useful stuff from  reading your code I'm so sorry if I mentioned something wrong, and I hope I can contribute in this project soon :)
	I know you protected forms from CSRF as you are already using CI 2 but what about actions links which depends on GET

	links like 'site_name/users/logout' or even worse 'site_name/admin/news/categories/delete/1'

	what if user is logged in and visits a malicious link sent by attacker for page contains something like

	<img src="site_name/admin/news/categories/delete/1" /> as user is already logged in there will
	be no problem and he'll have his category with id "1" deleted

	I think we shouldn't rely on GET for actions. GET is only for displaying data

	I think we can solve the problem using one of these two ways

	1-I like what twitter makes to handle this issue I'll talk about logout link in the home page "old version" as an example

	they present there markup for logout link something like <a onclick="document.getElementById('sign_out_form').submit(); return false;" href="/logout">Sign out</a>

	and they have sign_out_form form at the top of page something like

	<form style="display: none;" action="/sessions/destroy" id="sign_out_form" method="post">
	<input type="hidden" value="SomeRandomToken" name="authenticity_token">
	</form>

	so a typical scenario when user click logout link as it has onclick event binded to it. he actually submits sign_out_form which have authenticity_token input field in it to protect user from csrf

	but what if user disabled JavaScript in his browser the link won't have onclick event binded to it and will perform the default action "taking user to the value in href attribute" which in this case /logout

	logout page have signout form in it with the same authenticity_token input field hidden for user to submit, so twitter can check for the value of authenticity_token

	2-another way we could append token in the url of action link but I don't like this way ( ugly URLs and relying on GET for actions )

	Finally I rally admire your work on pyrocms and learn a lot of useful stuff from reading your code I'm so sorry if I mentioned something wrong, and I hope I can contribute in this project soon :)