We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

problems with csrf

Hi guys, I'm having problems using the csrf of the security component.

This is what happening:

I have an indexAction like this:

public function indexAction()
            'lastSessionToken' => $this->security->getSessionToken(),
            'token' => $this->security->getToken(),
            'newSessionToken' => $this->security->getSessionToken()

And this is the view

{{ lastSessionToken }}
{{ token}}
{{ newSessionToken }}

And an example result is (first time):


(second time)


So is not working well, because when I check the last token always I have a new token but I never wanted generate the token again yet.

Testing the application I noticed that the problem is the "javascript_include" that I'm writing before the </body> tag, if I change this writing all the javascript_include in the <head> everthing work perfect.

Can you check how is implemented the javascript_include?

Thanks!! great framework and sorry for my english.

edited Mar '14

I don't see what the CSRF token issue has to do with the javascript_include thing but i could be missing something here ;)

Anyways this is how i implemented it:


    {{ form.render('csrf', ['value': security.getToken()]) }}

can also be:

    {{ hidden_field("csrf", "value": security.getToken()) }}


    $csrf = new Hidden('csrf');

    $csrf->addValidator(new Identical([
        'value' => $this->security->getSessionToken(),
         'message' => 'Validatie mislukt, probeer het nogmaals.'

or just just $this->security->getSessionToken() against the value in $this->request->get('csrf');


Hey Im not exactly sure how you are using the security token, but you should see this thread: https://forum.phalcon.io/discussion/922/csrf-protection-not-working

Basically, some of us have encountered a weird issue where having an indexAction as the default route / in the default controller creates some peculiararites with the csrf component.