Hi all! Who knows how can I protect all forms (~10 forms) on page of CSRF? I already tried to set hidden input:
{{ form.render('csrf', ['value': security.getToken()]) }}
in form builder class:
// CSRF
$csrf = new Hidden('csrf');
$csrf->addValidator(
new Identical(array(
'value' => $this->security->getSessionToken(),
'message' => $t->form->post->csrf
))
);
But it's always validating as false. I have 3 suggestions:
- I should start session in some BaseController, but I don't know how to do it.. Help plz!
- Every form have an unique value="...", but server side stores only last token... So on one page all forms protected from CSRF will fails except of last form. (I hope that's not true.)
Any suggestions?