Codeigniter csrf expired token

Use the Output class. From the User Guide:

$this->output->set_status_header(code, 'text');

Permits you to manually set a server status header. Example:

$this->output->set_status_header('401');// Sets the header as: Unauthorized

I was about to suggest extending the Security class and overwriting the function that generates the CSRF error:

/** * Show CSRF Error * * @return  void */public function csrf_show_error(){    //show_error('The action you have requested is not allowed.');    // Set 401 header instead of the default 500    show_error('The action you have requested is not allowed.', 401);}

...but this won't always be correct - And most importantly, I don't think you need to do this when the token is submitted. You should already have sent the unauthorized header before the token was even validated.

From your comment:

It's not that the csrf token and the session are directly related but the default expiration of both are the same. So if the user hasn't refreshed their browser in a while, and then refreshes the page, CI will renew the session and the csrf token.... but with ajax, since it cant refresh the token, it just returns the 500 error.

If this is the only thing preventing you from validating the session before the CSRF token, try setting the session token to expire 10 seconds earlier than the token. If the request is unauthorized, there's no point in validating the token to begin with.