We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Vokuro CSRF validation failed after move from Windows to Centos

Hello,

i moved my system to another server. But now i get always CSRF validation failed, when i want to login or register. All caches are cleared before.

I am using phalcon 3.0, PHP 5.6.24 and Centos 7. I must say that my local machine is on a windows xampp system with a different PHP Version (7.0.9).

Rgds Stefan



85.5k
edited Aug '16

check network tab, make sure there are not requests between form display and form submit. Like "favicon" request and stuff

https://forum.phalcon.io/discussion/4737/csrf-validation-does-not-work-on-remote-server

Also make sure session service is registred and working



60.0k

Hi Izo,

thx for your answer and please more help :-)

Ok now i have the problem, where i have to insert this code.

In Vokuro the forms will generate in 1 initialize() function and here is the CSRF implementaion:

<?php
namespace Vokuro\Forms;

use Phalcon\Forms\Form;
use Phalcon\Forms\Element\Text;
use Phalcon\Forms\Element\Password;
use Phalcon\Forms\Element\Submit;
use Phalcon\Forms\Element\Check;
use Phalcon\Forms\Element\Hidden;
use Phalcon\Validation\Validator\PresenceOf;
use Phalcon\Validation\Validator\Email;
use Phalcon\Validation\Validator\Identical;

 class LoginForm extends Form
{

public function initialize()
{
    // Email
    $email = new Text('email', [
        'placeholder' => 'Email'
    ]);

    $email->addValidators([
        new PresenceOf([
            'message' => 'The e-mail is required'
        ]),
        new Email([
            'message' => 'The e-mail is not valid'
        ])
    ]);

    $this->add($email);

    // Password
    $password = new Password('password', [
        'placeholder' => 'Password'
    ]);

    $password->addValidator(new PresenceOf([
        'message' => 'The password is required'
    ]));

    $password->clear();

    $this->add($password);

    // Remember
    $remember = new Check('remember', [
        'value' => 'yes'
    ]);

    $remember->setLabel('Remember me');

    $this->add($remember);

    // CSRF
    $csrf = new Hidden('csrf');

    $csrf->addValidator(new Identical([
        'value' => $this->security->getSessionToken(),
        'message' => 'CSRF validation failed'
    ]));

    $csrf->clear();

    $this->add($csrf);

    $this->add(new Submit('go', [
        'class' => 'btn btn-success'
    ]));
}
}

Now i have also to implement this workaround. Please can you give me a short trick to do that.

Rgds

Stefan



85.5k

Hi Stefan,

i dont know what does this do


$csrf->clear();

perhaps it has to be


    $csrf = new Hidden('csrf');

    $tokenVal = $this->security->getSessionToken();

    $csrf->addValidator(new Identical([
        'value' => $tokenVal,
        'message' => 'CSRF validation failed'
    ]));

    $csrf->setDefault($tokenVal);

    $this->add($csrf);

let me know if changes anythign for you



85.5k

btw i do it following this example here https://docs.phalcon.io/en/latest/reference/security.html#cross-site-request-forgery-csrf-protection

with writing my input in the view directly. And after that i check if myself in the action.



60.0k

No sorry, this is not working, but i will try the action variant



60.0k
Accepted
answer

Hi Izo,

got it!!! I have changed the /session permission recursive in /usr/lib/php/.

The solution from Thien works for me: https://forum.phalcon.io/discussion/4737/csrf-validation-does-not-work-on-remote-server

Thx again Stefan