We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Allow Subdomains on CSRF Protection

My application is: app.example.com (Phalcon MVC)

My website is: www.example.com (PHP Native)

I want to app login from website with CSRF but i couldnt solve.

I'm getting CSRF token from application api like that:

public function getCsrfTokenAction()
    return $this->response->setJsonContent(array(
            'key' => $this->security->getTokenKey(), 
            'value' => $this->security->getToken()

And application response service like that:

$di->setShared('response', function () {
    $response = new Response();                      
    $response->setHeader('Access-Control-Allow-Origin', 'example.com');   
    $response->setHeader('Access-Control-Allow-Credentials', true);   

    return $response;

But this is not working. What missing?


edited Mar '17


I think you have to deal with CORS: https://enable-cors.org/

or https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

But, I imagine you already know that

And regarding how is your website build (single page javascript frontend app, or a kind of classical php website -like a phalcon mvc one- ) solution may be different ...


$di->setShared('response', function () { ....

set in your api app or in your website app ?

edited Mar '17

Hmm, I'm trying PHP website via POST to Phalcon MVC application. Not javascript.

I have tried Access-Control-Allow-Origin on htaccess, php header and phalcon response but didnt work.

Dou you have an idea?

Website is PHP, Application is Phalcon MVC

edited Mar '17

Dou you have an idea?

unfortunately not ! But for a future project I will have to dig in this kind of scenario ... So I will try to help

Just for clarification: you said that api.example.com is a phalcon mvc app. Does that mean that the sended responses from that host are full html pages ?

How do the www.example.com pages request api.example.com Because usually this situation happend (and maybe is only supported) through XML httpRequest objects.

And for "debuging" purpose, does a cross origin request work if you disable all the csrf token chek ?

Most likely it's about session - you need to set subdomain session.