I've noticed that there seems to be some confusion on how to use the new CSRF protection in CodeIgniter 2.0. I think the reason for all the confusion is that it is so simple to use, that some developers may be over thinking it.

There's basically two steps to it. First you set:

$config["csrf_protection"] = TRUE;

in your application's config file. One of the effects of this is that every HTTP POST to every controller has to include the csrf token or CI will reject it. You can either print out the token doing something like:

<input type="hidden" name="<?php echo $this->security->csrf_token_name?>" value="<?php echo $this->security->csrf_hash?>" />

or simply use the form helper's form_open to insert both the opening <form> tag and the above automatically.

While possibly not ideal (particularly when javascript is not enabled), here's how one could setup a jQuery AJAX log out HTML link that still submits a correct CSRF token.

<?php echo form_open('controller/method', array('id'=>'logoutfrm')); ?> <!-- maybe stick a noscript logout button in here? could get wonky --> </form> <a href="[removed];" id="logout">Log out</a>

Then in your $(document).ready() you could add:

$('#logout').click(function(){ $.post('/controller/logoutmethod', $('#logoutfrm').serialize(), function(resp){ //handle logout actions or just document.location.href = document.location.href }, 'json'); });

Just an example, you may or may not want to do it that way. Thoughts?