Codeigniter CSRF protection VS tabs

Background

There is no need to regenerate the CSRF token upon each form submission. There is little security benefit - if the attacker could retrieve the token from your page then they already have won. This will enable your site to run cross-tabs without error.

See this page for some background on the security aspect: Why [you shouldn't] refresh CSRF token per form request?.

CodeIgniter v3

v3 uses a configuration item named csrf_regenerate. Set this to FALSE to prevent regeneration after each request.

CodeIgniter v2

The code CodeIgniter uses is discussed in this post: CSRF Protection in CodeIgniter 2.0: A closer look. The relevant code is below:

function csrf_verify(){    // If no POST data exists we will set the CSRF cookie    if (count($_POST) == 0)    {        return $this>csrf_set_cookie();    }    // Do the tokens exist in both the _POST and _COOKIE arrays?    if ( ! isset($_POST[$this->csrf_token_name]) OR         ! isset($_COOKIE[$this->csrf_cookie_name]) )    {        $this->csrf_show_error();    }    // Do the tokens match?    if ( $_POST[$this->csrf_token_name]         != $_COOKIE[$this->csrf_cookie_name] )    {        $this->csrf_show_error();    }    // We kill this since we're done and we don't    // want to polute the _POST array    unset($_POST[$this->csrf_token_name]);    // Re-generate CSRF Token and Cookie    unset($_COOKIE[$this->csrf_cookie_name]);    $this->_csrf_set_hash();    $this->csrf_set_cookie();    log_message('debug', "CSRF token verified ");}

Simply remove the following code from the function:

// Re-generate CSRF Token and Cookieunset($_COOKIE[$this->csrf_cookie_name]);$this->_csrf_set_hash();$this->csrf_set_cookie();