We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Custom CSRF

My site wont work with Phalcon CSRF, becuase when ever there is a ajax request that class the token, it changes.

So i was wondering if it's a bad idea to make a custom key when the user logs in, save it to the session and check if form and session key is the same? But the key only changes on logins, and not with every request.

Hope you understand!


this is what the phalcon securoity is doing anyways, when checking token , 3rd param needs to be set to false, and it wont delete with each request

$this->add('csrf', new Identical(array( 'value' => $this->security->getSessionToken(null, null, false), 'message' => 'CSRF validation failed' )));

It is false, still changes.