Cross-site request forgery (CSRF)
You can enable CSRF protection by modifying your application/config/config.php file in the following way:
$config['csrf_protection'] = TRUE;If you use the form helper, then form_open() function will automatically insert a hidden csrf field in your forms. If not, then you can use get_csrf_token_name() and get_csrf_hash() for csrf protection.
<input type="hidden" name="<?php echo $csrf['name'];?>" value="<?php echo $csrf['hash'];?>" />By default regeneration of tokens provides stricter security, but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You can alter this behavior by editing the following config parameter
$config['csrf_regenerate'] = TRUE;