We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.
  1. Home
  2. Security

CRSF Token check error

Hi,

In my app, in all form, there is a hidden input with a token. In my controller i have a check. In debug, it's work but in normal it's doesn't work and i don't know why.

Sorry for my bad english.

Code : 

<input type='hidden' name='<?php echo $this->security->getTokenKey() ?>' value='<?php echo $this->security->getToken() ?>'/>
if ($this->request->isPost())
        {   
            if ($this->security->checkToken())


10.1k

Can you check the log files in production for an error?



4.2k

There is no error.

When i debug with a debugBreak, the condition is True, but when i test without debug, the condition is False.

I don't know why, and i can't debug....



10.1k

Could the method called twice? First break ok. Second fails? Need some more code to help you. The code above looks fine.



4.2k
edited Aug '19

view ->

<form id="aunthentification" method="post" accept-charset="UTF-8" role="form">
                        <fieldset>
                            <div class="form-group input-center">
                                <input name="username" id="username" type="text" placeholder="Identifiant" class="form-control" >
                            </div>
                            <div class="form-group input-center">
                                <input name="password" type="password" placeholder="Mot de passe" class="form-control">
                            </div>
                            <div class="form-group input-center">
                                <input type='hidden' name='<?php echo $this->security->getTokenKey() ?>' value='<?php echo $this->security->getToken() ?>'/>
                            </div>
                            <div class="form-group input-center">
                                <input class="btn btn-lg btn-success btn-block boutons form-control" id="valider" name="accept" type="button" value="Se connecter">
                            </div>
                        </fieldset>
                    </form>

controller ->

class AuthController extends ControllerBase
{
    public function loginAction($message = null)
    {   
        $config = \Phalcon\DI::getDefault()->get('config');

        //DebugBreak("[email protected]********;d=1,p=0");

        if ($this->request->isPost())
        {   
            if ($this->security->checkToken())
            {
                  //connection code
            }                   
        }
        else
        {
            if (isset($message))
            {               
                $this->view->message = $message;
            }
        }        
    }
}

hope it's enough

thanks for your time



4.2k
edited Aug '19

Now, $this->security->checkToken() return always "False" ....

Anyone have a solution ? i checked all of topic but no solutions...

EDIT : After multiple tests, the value of input and the session values are different. Any explications ?

EDIT2: It's work on firefox but not on chrome (work with frefox, Edge, IE, and don't work with Chrome, Opera), problem with chronium ?



4.2k
Accepted
answer

Problem solved...

it was missing the icon....