HI - I have
$config['csrf_protection'] = TRUE;
on my dev sys and everything appeared to work well during development. I developed the system with form_open throughout.
Then when I uploaded it to the ISP, CSFR= TRUE gives me an continuous error: “The action you have requested is not allowed.” So I was forced to turn it off.
Ok, so I went back to my dev sys and discovered that despite have CSFR = true and using form_open, I do not see any hidden token value in the rendered HTML source code.
I have read all kinds of posts on this topic. But so far I have not found a straight forward set of instructions on how to over come the problem
I am nervous that I am open to attack - so any advice is gratefully received.