We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

CSRF tokens and many forms at one page

This topic is continue of this : https://forum.phalcon.io/discussion/310/csrf-protection I investigate this issue a little bit more. And the problem is: $_SESSION['$PHALCON/CSRF/KEY$'] is stored only the FIRST Key/Token ["$PHALCON/CSRF/KEY$"]=> string(16) "FoIgjaYm9vqIbiy9" ["$PHALCON/CSRF$"]=> string(32) "e44ceca0a75c12e5b55d4a519d8fcc90" And when you posting for example form #4 tokens mismatch! Sadly... Anybody knows how to trick with it? How to store array of tokens and check over array? Maybe I missed something?



98.9k

You don't need to create a CSRF token for each form in the page, you can use the same CSRF for all the forms present in the page,

We're not avoiding Cross-Form Request but Cross-Site Request.

The CSRF token is regenerated in every request passed as a hidden value in every form and you'll avoid the Cross-Site Request Forgery as expected.

You can set token before forms, for example:

{% set token_key = security.getTokenKey() %} {% set token = security.getToken() %}

...and them use token_key and token in all forms u have. Why not? :) Good luck