I know that the question was answered, but I did it in the same way without breaking the CI core. I added the following to the application / config / config.php file:
$config['csrf_ignore'] = array('api');
An array can include any paths you like. The above example applies to any paths starting with "api".
Then I added the following file: application / core / MY_Input.php :
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); class MY_Input extends CI_Input { function _sanitize_globals() { $ignore_csrf = config_item('csrf_ignore'); if (is_array($ignore_csrf) && count($ignore_csrf)) { global $URI; $haystack = $URI->uri_string(); foreach($ignore_csrf as $needle) { if (strlen($haystack) >= strlen($needle) && substr($haystack, 0, strlen($needle)) == $needle) { $this->_enable_csrf = FALSE; break; } } } parent::_sanitize_globals(); } }