My site wont work with Phalcon CSRF, becuase when ever there is a ajax request that class the token, it changes.
So i was wondering if it's a bad idea to make a custom key when the user logs in, save it to the session and check if form and session key is the same? But the key only changes on logins, and not with every request.
Hope you understand!
this is what the phalcon securoity is doing anyways, when checking token , 3rd param needs to be set to false, and it wont delete with each request
$this->add('csrf', new Identical(array( 'value' => $this->security->getSessionToken(null, null, false), 'message' => 'CSRF validation failed' )));
It is false, still changes.
https://docs.phalcon.io/en/3.0.1/reference/security.html#cross-site-request-forgery-csrf-protection
i was refering to this kind of an usage
