Now i have situation, when javascript from example.com have access to site test1.example.com. I did that through crossdomain and i want to prevent CSRF injection.
I thought to make this in standard way - in server side - i create hash - save hash in session But i can't do that, because when i save hash in $_SESSION and want to check from client side - $_SESSION is empty- because its another domain (when realize that through proxy script on server side- no problem). function check_csrf_token - always return false.
Simple code from server side
public function get_csrf_token(){
$token = md5(uniqid(mt_rand() . microtime()));
$_SESSION['token'] = $token;
}
private function check_csrf_token($token){
return ($_SESSION['token'] == $this->input->get('token'));
}