Fix for issue #149: CSRF protection URI whitelisting

[alexbilbie]

Fix for issue #149

When developing applications that may have a web front end and an API front end (for example using Phil's REST server library) if you have CSRF protection enabled then POST API requests will fail because a non existent CSRF token can't be verified when the request is received.

The changes here add a new config parameter 'csrf_exclude_uris' which allows for URIs to be whitelisted from CSRF protection.

$config['csrf_exclude_uris'] = array('api/person/add');

I've also updated the Security library documentation.

[alexbilbie]

Gah, Github picked up on some other irrelevant commits. The last two in the list above are the relevant commits.

[ericlbarnes]

@alexbilbie Excellent work.

You have any thoughts if it would be better to white list based on external urls instead of your own uris?

[alexbilbie]

No no, that would be far too complicated, wouldn't scale etc. Better to have one or two endpoints that explicitly don't check for a CSRF cookie and yet still have the rest of your application secure

[ericlbarnes]

@alexbilbie Can you also add a note in the changelog about this?

[r-martins]

Great! I needed it some months ago. Thanks.

[abfan1127]

Awesome fix! I have a little lump of code that allows generalized uris to be white listed. For example, if you specify only the controller, all methods will be whitelisted too. Is that something EllisLabs would appreciate within this feature too? Great fix alexbilbie!

[pierluigi]

is this available in the latest stable version? 2.1.0 ?

[shijialee]

still not available in 2.1.1 :-(

[alexbilbie]

For some reason this wasn't merged into 2.1 or 2.1.1 releases. It will definitely be in 3.0.

[ghost]

Still nothing on 2.1.3... It would be great feature.