Hello,
i moved my system to another server.
But now i get always CSRF validation failed, when i want to login or register. All caches are cleared before.
I am using phalcon 3.0, PHP 5.6.24 and Centos 7. I must say that my local machine is on a windows xampp system with a different PHP Version (7.0.9).
Rgds Stefan
check network tab, make sure there are not requests between form display and form submit. Like "favicon" request and stuff
https://forum.phalcon.io/discussion/4737/csrf-validation-does-not-work-on-remote-server
Also make sure session service is registred and working
Hi Izo,
thx for your answer and please more help :-)
Ok now i have the problem, where i have to insert this code.
In Vokuro the forms will generate in 1 initialize() function and here is the CSRF implementaion:
<?php
namespace Vokuro\Forms;
use Phalcon\Forms\Form;
use Phalcon\Forms\Element\Text;
use Phalcon\Forms\Element\Password;
use Phalcon\Forms\Element\Submit;
use Phalcon\Forms\Element\Check;
use Phalcon\Forms\Element\Hidden;
use Phalcon\Validation\Validator\PresenceOf;
use Phalcon\Validation\Validator\Email;
use Phalcon\Validation\Validator\Identical;
class LoginForm extends Form
{
public function initialize()
{
// Email
$email = new Text('email', [
'placeholder' => 'Email'
]);
$email->addValidators([
new PresenceOf([
'message' => 'The e-mail is required'
]),
new Email([
'message' => 'The e-mail is not valid'
])
]);
$this->add($email);
// Password
$password = new Password('password', [
'placeholder' => 'Password'
]);
$password->addValidator(new PresenceOf([
'message' => 'The password is required'
]));
$password->clear();
$this->add($password);
// Remember
$remember = new Check('remember', [
'value' => 'yes'
]);
$remember->setLabel('Remember me');
$this->add($remember);
// CSRF
$csrf = new Hidden('csrf');
$csrf->addValidator(new Identical([
'value' => $this->security->getSessionToken(),
'message' => 'CSRF validation failed'
]));
$csrf->clear();
$this->add($csrf);
$this->add(new Submit('go', [
'class' => 'btn btn-success'
]));
}
}Now i have also to implement this workaround. Please can you give me a short trick to do that.
Rgds
Stefan
Hi Stefan,
i dont know what does this do
$csrf->clear();perhaps it has to be
$csrf = new Hidden('csrf');
$tokenVal = $this->security->getSessionToken();
$csrf->addValidator(new Identical([
'value' => $tokenVal,
'message' => 'CSRF validation failed'
]));
$csrf->setDefault($tokenVal);
$this->add($csrf);
let me know if changes anythign for you
btw i do it following this example here https://docs.phalcon.io/en/latest/reference/security.html#cross-site-request-forgery-csrf-protection
with writing my input in the view directly. And after that i check if myself in the action.
No sorry, this is not working, but i will try the action variant
Hi Izo,
got it!!! I have changed the /session permission recursive in /usr/lib/php/.
The solution from Thien works for me: https://forum.phalcon.io/discussion/4737/csrf-validation-does-not-work-on-remote-server
Thx again Stefan