rahulchhangani/MY_Security.php

## MY_Security.php
<?php

class MY_Security extends CI_Security{

	//overriding the normal csrf_verify, this gets automatically called in the Input library's constructor
	//verifying on POST and PUT and DELETE
	public function csrf_verify(){

		$request_method = strtoupper($_SERVER['REQUEST_METHOD']);

		//If it is GET, ignore the rest
		if($request_method == 'GET' OR $request_method == 'HEAD' OR $request_method == 'OPTIONS'){
			return $this->csrf_set_cookie();
		}

		// Check if URI has been whitelisted from CSRF checks
		if($exclude_uris = config_item('csrf_exclude_uris')){
			$uri = load_class('URI', 'core');
			if(in_array($uri->uri_string(), $exclude_uris)){
				return $this;
			}
		}

		//Double submit cookie method: COOKIE needs to exist and at least either POST or SERVER needs to exist and at least one of the POST or SERVER must match the COOKIE
		if(
			!isset($_COOKIE[$this->_csrf_cookie_name])
			OR
			(
				!isset($_POST[$this->_csrf_cookie_name])
				AND
				!isset($_SERVER['HTTP_X_XSRF_TOKEN'])
			)
		){

			$this->csrf_show_error();

		}

		//if CSRF token was in the POST, then it needs to match the cookie
		if(isset($_POST[$this->_csrf_token_name])){
			if($_POST[$this->_csrf_token_name] !== $_COOKIE[$this->_csrf_cookie_name]){
				$this->csrf_show_error();
			}
		}

		//if CSRF token was in the SERVER (headers), then it needs to match the cookie
		if(isset($_SERVER['HTTP_X_XSRF_TOKEN'])){
			if($_SERVER['HTTP_X_XSRF_TOKEN'] !== $_COOKIE[$this->_csrf_cookie_name]){
				$this->csrf_show_error();
			}
		}

		// We kill this since we're done and we don't want to polute the _POST array
		unset($_POST[$this->_csrf_token_name]);

		if(config_item('csrf_regenerate')){
			unset($_COOKIE[$this->_csrf_cookie_name]);
			$this->_csrf_hash = '';
		}

		$this->_csrf_set_hash();
		$this->csrf_set_cookie();

		log_message('debug', 'CSRF token verified');
		return $this;

	}

}
	<?php

	class MY_Security extends CI_Security{

	//overriding the normal csrf_verify, this gets automatically called in the Input library's constructor
	//verifying on POST and PUT and DELETE
	public function csrf_verify(){

	$request_method = strtoupper($_SERVER['REQUEST_METHOD']);

	//If it is GET, ignore the rest
	if($request_method == 'GET' OR $request_method == 'HEAD' OR $request_method == 'OPTIONS'){
	return $this->csrf_set_cookie();
	}

	// Check if URI has been whitelisted from CSRF checks
	if($exclude_uris = config_item('csrf_exclude_uris')){
	$uri = load_class('URI', 'core');
	if(in_array($uri->uri_string(), $exclude_uris)){
	return $this;
	}
	}

	//Double submit cookie method: COOKIE needs to exist and at least either POST or SERVER needs to exist and at least one of the POST or SERVER must match the COOKIE
	if(
	!isset($_COOKIE[$this->_csrf_cookie_name])
	OR
	(
	!isset($_POST[$this->_csrf_cookie_name])
	AND
	!isset($_SERVER['HTTP_X_XSRF_TOKEN'])
	)
	){

	$this->csrf_show_error();

	}

	//if CSRF token was in the POST, then it needs to match the cookie
	if(isset($_POST[$this->_csrf_token_name])){
	if($_POST[$this->_csrf_token_name] !== $_COOKIE[$this->_csrf_cookie_name]){
	$this->csrf_show_error();
	}
	}

	//if CSRF token was in the SERVER (headers), then it needs to match the cookie
	if(isset($_SERVER['HTTP_X_XSRF_TOKEN'])){
	if($_SERVER['HTTP_X_XSRF_TOKEN'] !== $_COOKIE[$this->_csrf_cookie_name]){
	$this->csrf_show_error();
	}
	}

	// We kill this since we're done and we don't want to polute the _POST array
	unset($_POST[$this->_csrf_token_name]);

	if(config_item('csrf_regenerate')){
	unset($_COOKIE[$this->_csrf_cookie_name]);
	$this->_csrf_hash = '';
	}

	$this->_csrf_set_hash();
	$this->csrf_set_cookie();

	log_message('debug', 'CSRF token verified');
	return $this;

	}

	}