I enabled the csrf_protection option in codeigniter's config file, and used form_open() function to create my forms. But when I submit the form, this error occurs:

The action you have requested is not allowed.

I have done the answers like this topic (that is most related to my question): question

but they didn't work and The problem still remains.

my config.php:

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

/*
|--------------------------------------------------------------------------
| Base Site URL
|--------------------------------------------------------------------------
|
| URL to your CodeIgniter root. Typically this will be your base URL,
| WITH a trailing slash:
|
|   http://example.com/
|
| If this is not set then CodeIgniter will guess the protocol, domain and
| path to your installation.
|
*/
$config['base_url'] = '';

/*
|--------------------------------------------------------------------------
| Index File
|--------------------------------------------------------------------------
|
| Typically this will be your index.php file, unless you've renamed it to
| something else. If you are using mod_rewrite to remove the page set this
| variable so that it is blank.
|
*/
$config['index_page'] = 'index.php';

/*
|--------------------------------------------------------------------------
| URI PROTOCOL
|--------------------------------------------------------------------------
|
| This item determines which server global should be used to retrieve the
| URI string.  The default setting of 'AUTO' works for most servers.
| If your links do not seem to work, try one of the other delicious flavors:
|
| 'AUTO'            Default - auto detects
| 'PATH_INFO'       Uses the PATH_INFO
| 'QUERY_STRING'    Uses the QUERY_STRING
| 'REQUEST_URI'     Uses the REQUEST_URI
| 'ORIG_PATH_INFO'  Uses the ORIG_PATH_INFO
|
*/
$config['uri_protocol'] = 'AUTO';

/*
|--------------------------------------------------------------------------
| URL suffix
|--------------------------------------------------------------------------
|
| This option allows you to add a suffix to all URLs generated by CodeIgniter.
| For more information please see the user guide:
|
| http://codeigniter.com/user_guide/general/urls.html
*/

$config['url_suffix'] = '';

/*
|--------------------------------------------------------------------------
| Default Language
|

--------------------------------------------------------------------------
|
| This determines which set of language files should be used. Make sure
| there is an available translation if you intend to use something other
| than english.
|
*/
$config['language'] = 'persian';

/*
|--------------------------------------------------------------------------
| Default Character Set
|--------------------------------------------------------------------------
|
| This determines which character set is used by default in various methods
| that require a character set to be provided.
|
*/
$config['charset'] = 'UTF-8';

/*
|--------------------------------------------------------------------------
| Enable/Disable System Hooks
|--------------------------------------------------------------------------
|
| If you would like to use the 'hooks' feature you must enable it by
| setting this variable to TRUE (boolean).  See the user guide for details.
|
*/
$config['enable_hooks'] = FALSE;


/*
|--------------------------------------------------------------------------
| Class Extension Prefix
|--------------------------------------------------------------------------
|
| This item allows you to set the filename/classname prefix when extending
| native libraries.  For more information please see the user guide:
|
| http://codeigniter.com/user_guide/general/core_classes.html
| http://codeigniter.com/user_guide/general/creating_libraries.html
|
*/
$config['subclass_prefix'] = 'MY_';


/*
|--------------------------------------------------------------------------
| Allowed URL Characters
|--------------------------------------------------------------------------
|
| This lets you specify with a regular expression which characters are permitted
| within your URLs.  When someone tries to submit a URL with disallowed
| characters they will get a warning message.
|
| As a security measure you are STRONGLY encouraged to restrict URLs to
| as few characters as possible.  By default only these are allowed: a-z 0-9~%.:_-
|
| Leave blank to allow all characters -- but only if you are insane.
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
|
*/
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';


/*
|--------------------------------------------------------------------------
| Enable Query Strings
|--------------------------------------------------------------------------
|
| By default CodeIgniter uses search-engine friendly segment based URLs:
| example.com/who/what/where/
|
| By default CodeIgniter enables access to the $_GET array.  If for some
| reason you would like to disable it, set 'allow_get_array' to FALSE.
|
| You can optionally enable standard query string based URLs:
| example.com?who=me&what=something&where=here
|
| Options are: TRUE or FALSE (boolean)
|
| The other items let you set the query string 'words' that will
| invoke your controllers and its functions:
| example.com/index.php?c=controller&m=function
|
| Please note that some of the helpers won't work as expected when
| this feature is enabled, since CodeIgniter is designed primarily to
| use segment based URLs.
|
*/
$config['allow_get_array']      = TRUE;
$config['enable_query_strings'] = FALSE;
$config['controller_trigger']   = 'c';
$config['function_trigger']     = 'm';
$config['directory_trigger']    = 'd'; // experimental not currently in use

/*
|--------------------------------------------------------------------------
| Error Logging Threshold
|--------------------------------------------------------------------------
|
| If you have enabled error logging, you can set an error threshold to
| determine what gets logged. Threshold options are:
| You can enable error logging by setting a threshold over zero. The
| threshold determines what gets logged. Threshold options are:
|
|   0 = Disables logging, Error logging TURNED OFF
|   1 = Error Messages (including PHP errors)
|   2 = Debug Messages
|   3 = Informational Messages
|   4 = All Messages
|
| For a live site you'll usually only enable Errors (1) to be logged otherwise
| your log files will fill up very fast.
|
*/
$config['log_threshold'] = 0;

/*
|--------------------------------------------------------------------------
| Error Logging Directory Path
|--------------------------------------------------------------------------
|
| Leave this BLANK unless you would like to set something other than the default
| application/logs/ folder. Use a full server path with trailing slash.
|
*/
$config['log_path'] = '';

/*
|--------------------------------------------------------------------------
| Date Format for Logs
|--------------------------------------------------------------------------
|
| Each item that is logged has an associated date. You can use PHP date
| codes to set your own date formatting
|
*/
$config['log_date_format'] = 'Y-m-d H:i:s';

/*
|--------------------------------------------------------------------------
| Cache Directory Path
|--------------------------------------------------------------------------
|
| Leave this BLANK unless you would like to set something other than the default
| system/cache/ folder.  Use a full server path with trailing slash.
|
*/
$config['cache_path'] = '';

/*
|--------------------------------------------------------------------------
| Encryption Key
|--------------------------------------------------------------------------
|
| If you use the Encryption class or the Session class you
| MUST set an encryption key.  See the user guide for info.
|
*/
$config['encryption_key'] = 'b{{h#/Ib;pd<%+H0?ujvv9KLRc0LR-o8ot"K*so.J&}4\qCQ+Ij81ih\d48fx5_';

/*
|--------------------------------------------------------------------------
| Session Variables
|--------------------------------------------------------------------------
|
| 'sess_cookie_name'        = the name you want for the cookie
| 'sess_expiration'         = the number of SECONDS you want the session to last.
|   by default sessions last 7200 seconds (two hours).  Set to zero for no expiration.
| 'sess_expire_on_close'    = Whether to cause the session to expire automatically
|   when the browser window is closed
| 'sess_encrypt_cookie'     = Whether to encrypt the cookie
| 'sess_use_database'       = Whether to save the session data to a database
| 'sess_table_name'         = The name of the session database table
| 'sess_match_ip'           = Whether to match the user's IP address when reading the session data
| 'sess_match_useragent'    = Whether to match the User Agent when reading the session data
| 'sess_time_to_update'     = how many seconds between CI refreshing Session Information
|
*/
$config['sess_cookie_name']     = 'ins_mngm_system';
$config['sess_expiration']      = 7200;
$config['sess_expire_on_close'] = TRUE;
$config['sess_encrypt_cookie']  = TRUE;
$config['sess_use_database']    = TRUE;
$config['sess_table_name']      = 'user_sessions';
$config['sess_match_ip']        = TRUE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update']  = 300;

/*
|--------------------------------------------------------------------------
| Cookie Related Variables
|--------------------------------------------------------------------------
|
| 'cookie_prefix' = Set a prefix if you need to avoid collisions
| 'cookie_domain' = Set to .your-domain.com for site-wide cookies
| 'cookie_path'   =  Typically will be a forward slash
| 'cookie_secure' =  Cookies will only be set if a secure HTTPS connection exists.
|
*/
$config['cookie_prefix']    = "";
$config['cookie_domain']    = "";
$config['cookie_path']      = "/";
$config['cookie_secure']    = TRUE;

/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = TRUE;

/*
|--------------------------------------------------------------------------
| Cross Site Request Forgery
|--------------------------------------------------------------------------
| Enables a CSRF cookie token to be set. When set to TRUE, token will be
| checked on a submitted form. If you are accepting user data, it is strongly
| recommended CSRF protection be enabled.
|
| 'csrf_token_name' = The token name
| 'csrf_cookie_name' = The cookie name
| 'csrf_expire' = The number in seconds the token should expire.
*/
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'relt';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;

/*
|--------------------------------------------------------------------------
| Output Compression
|--------------------------------------------------------------------------
|
| Enables Gzip output compression for faster page loads.  When enabled,
| the output class will test whether your server supports Gzip.
| Even if it does, however, not all browsers support compression
| so enable only if you are reasonably sure your visitors can handle it.
|
| VERY IMPORTANT:  If you are getting a blank page when compression is enabled it
| means you are prematurely outputting something to your browser. It could
| even be a line of whitespace at the end of one of your scripts.  For
| compression to work, nothing can be sent before the output buffer is called
| by the output class.  Do not 'echo' any values with compression enabled.
|
*/
$config['compress_output'] = FALSE;

/*
|--------------------------------------------------------------------------
| Master Time Reference
|--------------------------------------------------------------------------
|
| Options are 'local' or 'gmt'.  This pref tells the system whether to use
| your server's local time as the master 'now' reference, or convert it to
| GMT.  See the 'date helper' page of the user guide for information
| regarding date handling.
|
*/
$config['time_reference'] = 'local';


/*
|--------------------------------------------------------------------------
| Rewrite PHP Short Tags
|--------------------------------------------------------------------------
|
| If your PHP installation does not have short tag support enabled CI
| can rewrite the tags on-the-fly, enabling you to utilize that syntax
| in your view files.  Options are TRUE or FALSE (boolean)
|
*/
$config['rewrite_short_tags'] = FALSE;


/*
|--------------------------------------------------------------------------
| Reverse Proxy IPs
|--------------------------------------------------------------------------
|
| If your server is behind a reverse proxy, you must whitelist the proxy IP
| addresses from which CodeIgniter should trust the HTTP_X_FORWARDED_FOR
| header in order to properly identify the visitor's IP address.
| Comma-delimited, e.g. '10.0.1.200,10.0.1.201'
|
*/
$config['proxy_ips'] = '';


/* End of file config.php */
/* Location: ./application/config/config.php */

controller (main.php):

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class Main extends CI_Controller {
    //public function __construct()
    //{
    //  $this->load->controller('access_controll');
    //}
    public function index()
    {
            redirect('auth/login');
    }
    public function login()
    {

    }
    public function registration()
    {
        $this->load->view('register');
    }
    public function forgot()
    {

    }
}

/* End of file main.php */
/* Location: ./application/controllers/main.php */

view (login.php):

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="<?php echo base_url();?>template/img/favicon.png">
<title>ورود به حساب کاربری</title>

<!-- Bootstrap core CSS -->
<link href="<?php echo base_url();?>template/css/bootstrap.rtl.css" rel="stylesheet">

<!-- Custom styles for this template -->
<link href="<?php echo base_url();?>template/style.css" rel="stylesheet">

<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
      <script src="js/html5shiv.js"></script>
      <script src="js/respond.min.js"></script>
    <![endif]-->
</head>

<body id="login">
<div class="login-content">
  <div class="widget-content">
    <h1>سامانه مدیریت مشتریان</h1>
    <div class="alert alert-danger"><?php echo $message;?></div>
    <?php  echo form_open('auth/login', array('role'=>'form')); ?>
      <div class="form-group">
        <label for="identity">شناسه کاربری:</label>
        <div class="input-group"> <span class="input-group-addon"><i class="glyphicon glyphicon-user"></i></span>
          <?php  echo form_input(array('name'=>'identity', 'type'=>'text', 'placeholder'=>'نام کاربری یا ایمیل', 'class'=>'form-control', 'id'=>'identity')); ?>
        </div>
      </div>
      <div class="form-group">
        <label for="pass">گذرواژه:</label>
        <div class="input-group"> <span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span>
          <?php  echo form_input(array('name'=>'pass', 'type'=>'password', 'placeholder'=>'گذرواژه', 'class'=>'form-control')); ?>
        </div>
      </div>
      <div class="checkbox">
      <div class="col-sm-offset-1 col-sm-12">
        <label>
          <?php echo form_checkbox(array('name'=>'remember', 'value'=>1, 'type'=>'checkbox')); ?>
          مرا به خاطر بسپار </label>
      </div>
      </div>
      <div class="form-group">
      <div class="col-sm-offset-1 col-sm-12">
      <input type="submit" class="btn btn-default" value="ورود" />
      </div>
      </div>
    <?php echo form_close(); ?>
    <div class="forgot">
      <ul class="list-unstyled">
        <li> <i class="glyphicon glyphicon-chevron-left"></i> <a href="<?php echo site_url("main/registration");?>">ایجاد حساب کاربری جدید</a> </li>
        <li> <i class="glyphicon glyphicon-chevron-left"></i> <a href="<?php echo site_url("main/forgot");?>">رمز عبور خود را فراموش کرده اید؟</a> </li>
      </ul>
    </div>
  </div>
</div>
<!-- /.container --> 

<!-- Bootstrap core JavaScript
    ================================================== --> 
<!-- Placed at the end of the document so the pages load faster --> 
<script src="js/jquery.js"></script> 
<script src="js/bootstrap.rtl.min.js"></script>
</body>
</html>

The problem solved by this Solution:

set $config['cookie_secure'] in config file to FALSE if you're using HTTP.

Just Include this in your form and everything will be fine then.

<input type="hidden" name="<?php echo $this->security->get_csrf_token_name();?>" value="<?php echo $this->security->get_csrf_hash();?>">

The easiest one for me was to whitelist the URI as explained in CodeIgniter User Guide (here)

Select URIs can be whitelisted from csrf protection (for example API endpoints expecting externally POSTed content). You can add these URIs by editing the ‘csrf_exclude_uris’ config parameter:

$config['csrf_exclude_uris'] = array('api/person/add');

if you allow true in $config['csrf_protection'] = true; within config file and you are also add autoload form than we can use.

Step 1. within config folder autoload file upload form helper

$autoload['helper'] = array('url', 'file','form');

Step 2.

$config['csrf_protection'] = true; 

Step 3. while uploading in view folder

<?php echo form_open_multipart('admin/file_upload'); ?>

Otherwise, you can use only

$config['csrf_protection'] = false;

To everyone who tried everything that was suggested here, and still has this problem.

My issue was the expiration time of the cookie.

$config['csrf_expire'] = 7200;

Afte the cookie expires and the user tries to submit an form, they will get the error

The action you have requested is not allowed.

I added a simple javascript to every page, which fixes the issue for 99% of your users. (the 1% being users who have JS disabled in their browser)

setInterval(function () {
  if(alert('Your session has expired!')){}
  else    window.location.reload(); 
}, 7200000);

The same problem I faced while working on localhost and enabled the csrf token to true in the config file. I tried all solutions posted on StackOverflow and finally solved it by myself.

I made the changes in Session Variables inside the config.php file and replaced the following code

$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = NULL;
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

with

$config['sess_cookie_name']     = 'ci_session';
$config['sess_expiration']      = 7200;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie']  = FALSE;
$config['sess_use_database']    = TRUE;
$config['sess_table_name']      = 'core_sessions';
$config['sess_match_ip']        = FALSE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update']  = 300;

And after that, you will get an error related to the database Table '.core_sessions' doesn't exist because this time we are storing session in the database so you must create a table that will store the session values with the following SQL Query in your database.

CREATE TABLE IF NOT EXISTS `core_sessions` ( `id` varchar(128) NOT NULL, `ip_address` varchar(45) NOT NULL, `timestamp` int(10) UNSIGNED NOT NULL DEFAULT 0, `data` blob NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8

If you using the form_open helper function then you don't have to add anything extra like the csrf token and its hash value whereas the HTML form required you to add a hidden field with the csrf token name and its value.

<input type="hidden" 
               name="<?php echo $this->security->get_csrf_token_name();?>" 
               value="<?php echo $this->security->get_csrf_hash();?>">

I hope this will work for you as well as for upcoming visitors. Thanks

In config/config.php I have

$config['csrf_token_name'] = 'my.token.name';

But when I use var_dump for $_POST I see:

 ["my_token_name"]=> string(32) "f5d78f8c8bb1800d10af59df8c302515"

CI change my csrf_token_name (sic!)

Solution: I changed

$config['csrf_token_name'] = 'my.token.name';

to

$config['csrf_token_name'] = 'my_token_name';

Now it works.

When all else failed, I noticed that I had my cookie variables set, removing cookie name, etc. resolved my issue.

In the config if you have set the cookie domain name

$config['cookie_domain']    = 'xyz.com';

and you browse using localhost. you will get the error

The action you have requested is not allowed

check that if helps

For those that may still be having an issue with this and for completeness I wanted to add some more information.

I ran into this issue an although some of the answers above were helpful there are a few other things to consider when dealing with csrf.

Starting from the top, and to make this as simple as possible.

If your using autoload.php I typically load these. Not all are needed to correct the issue.

Autoload.php

$autoload['libraries'] = array('session','database','form_validation','user_agent', 'encryption');
$autoload['helper'] = array('url', 'file', 'form');

Config.php

$config['base_url'] = 'http://somesite.org:4848/'; // Port if ur running multiple servers same machine
$config['encryption_key'] = 'kidh743ty9fhw9afh4739hq978h'; //Get an encrypt key, make sure its set

//Sessions
$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = '_ss_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = 'Sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

// Cookies
$config['cookie_prefix']    = '_ss_cookie';
$config['cookie_domain']    = '.somesite.org'; // No leading slash here, cookie will not set
$config['cookie_path']      = '/';
$config['cookie_secure']    = FALSE;
$config['cookie_httponly']  = FALSE;

// Global XSS - This is deprecated in version 3 
$config['global_xss_filtering'] = FALSE;

// CSRF
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = '_ss_csrf_token';
$config['csrf_cookie_name'] = '_ss_csrf_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();

The Controller - The best method for handling csrf is to use a redirect and set flash data.

Register.php

<?php defined('BASEPATH') OR exit('No direct script access allowed');

    class Register extends CI_Controller
    {

      function __construct(){
        parent::__construct();

      }

      public function index(){
          $this->load->view('auth/register');
      }

      public function validate(){

        $full_name = $this->input->post('full_name');
        $email = $this->input->post('email');
        $password = $this->input->post('password');
        $password_again = $this->input->post('password_again');
        $agree = $this->input->post('agree');

        // do something here, then base your redirect on the response

        $some_model_data = $this->register_model->validate($data);              

        if($this->input->is_ajax_request()){

          // echo a json response with the token

          // Response array 
          // use javascript to add the new token to the form
          $response = array(
               'data' => $some_model_data, 
               'token'=> $this->security->get_csrf_hash();
                      );

          // json response 
          echo json_encode($response);  

        }else{
          // redirect to the page 
          $this->__validate_redirect($some_model_data);
        } 
      }

      private function __validate_redirect($where_to){
        switch ($where_to->redirect) {
          case 'register_page':
            redirect(base_url().'register/');
            break;
          case 'success':
            redirect(base_url().'register/success');
            break;
          default:
            redirect(base_url().'register/');
            break;
        }

      }

    }
?>

In the view just make sure you either use:

  <?php echo form_open(); ?>

This will set the csrf token or use the following inside your form in a hidden input:

  <?php echo $this->security->get_csrf_token_name(); ?>

This should be all thats needed to prevent the csrf error for the most part.

I got this error white creating a csv_upload form . just put this code in your form.

<input type="hidden" 
               name="<?php echo $this->security->get_csrf_token_name();?>" 
               value="<?php echo $this->security->get_csrf_hash();?>">

There are many reasons could cause that.

1. first thing check the htaccess file could have some error code like invalid domain name that happen when you copy your project to another domain name.
2. check the csrf token in the view of the form.
3. check the config file in application/config/config.php $config['csrf_protection'] = true;. change it to false and check again to see if the problem is here.
4. you could clean the cache in your browser if this happen only in your browser and the host cache also if happen to any one.
5. if all of these is true check the controller constructer of this operation.

All of these will fix the problem 99% and you can have doubt in the config file if you changed previously.

If you are using Codeigniter version 3.0, you can do the following:

Change

$config['csrf_regenerate'] = TRUE;

to

$config['csrf_regenerate'] = FALSE;

This stops CSRF tokens being regenerated on each submission.

Make sure that your BASE_URL matches the URL that you are viewing. I have two aliases (one was created for oauth) and the project works on both aliases, but CSRF will fail if the BASE_URL doesn't match the URL in the browser.

My config:

$config['csrf_protection'] = true;
$config['csrf_token_name'] = 'csrf_token_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = false;
$config['csrf_exclude_uris'] = array();

Form:

<?php echo form_open_multipart('form/create'); ?>

I did had the same problem. There wasn't any issue with the configuration or any code related bug.

(In my case) The problem was the form's URL was like http://localhost/project/form but the form was submitted to http://[::1]/project/form/create

Problem root was the domain name where the CSRF token was generated and the domain where they were checked. Simply changing the form's URL to http://[::1]/project/form resolved the problem with my project.

It was just a minor workaround, this issue never occurred in the actual production domain

CodeIgniter 4: Add <?= csrf_field() ?> inside your form as stated in the user guide

          // Items change base on category
    $('#category_id').change(function(){
    
  var cat_id = $(this).val();
      var csrf_hash = '<?php echo $this->security->get_csrf_hash();?>'; 
      
// AJAX request
      $.ajax({
        url:'getitems/'+r_type_id,
        method: 'post',
        protocol: 'https:',
        data: {category: cat_id, <?php echo $this->security->get_csrf_token_name();?>: csrf_hash},
        dataType: 'json',
        success: function(response){

          // Remove options 
          $('#item_id').find('option').not(':first').remove();

          // Add options
          $.each(response,function(index,data){
             $('#item_id').append('<option value="'+data['item_id']+'">'+data['item_name']+'</option>');
          });
        }
     });

I've found a solution to this problem which is quite simple. I removed the div with the display:none style surrounding the csrf_protection input. The div is not relevant since the input type is set to hidden. In CodeIginiterFolder/system/helpers/form_helper.php, I changed the following content (around line 75) :

if (is_array($hidden) AND count($hidden) > 0)
{
    $form .= sprintf("<div style=\"display:none\">%s</div>", form_hidden($hidden));
}

for the following one :

if (is_array($hidden) AND count($hidden) > 0)
{
    $form .= form_hidden($hidden);
}

change line no 451

$config['csrf_protection'] = true;

to

$config['csrf_protection'] = false;

Because this csrf_protection is deprecated in CodeIgniter.