Ion auth csrf protection is older. CI-2 already have
This is provide to security when posting form, ex: POST is from local or server?
ion auth controller file, you see like codes below:
// do we have a valid request?
if ($this->_valid_csrf_nonce() === FALSE)
{
show_error($this->lang->line('error_csrf'));
}
If you remove these validation, you will not get csrf error
You can enable security with CI core lib
http://ellislab.com/codeigniter/user-guide/libraries/security.html
$config['csrf_protection'] = TRUE;
You have to use form_open() tag to triggger csrf protection.