We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.
  1. Home
  2. Security

CSRF again

I met one more problem with CSRF protection. All works fine, but when I'm trying to post ANY CSRF-protected form from FIRST PAGE is always fails. I'm using pagnation:

public function indexAction($boardAbbr, $currentPage = 1)
{
      ........
        // Passing a resultset as data
        $paginator = new Paginator(array(
            'data' => Threads::find(array(
                'board_id = ?0',
                'bind' => array($board->id),
                'order' => 'modified_at DESC'
            )),
            'limit' => $this->config->hakaba->threadsPerPage,
            'page'  => $currentPage
        ));

...
        $this->view->page = $paginator->getPaginate();
        $this->view->token = $this->security->getToken();
        $this->view->tokenKey = $this->security->getTokenKey();

view:

{% for thread in page.items %}
    {{ partial('partials/thread') }}
{% endfor %}

Notice, that the error appears on first page only. No matter is URL : https://localhost/nature or https://localhost/nature/page/1 in any case I got changed tokens But when I trying to post the form on https://localhost/nature/page/2 it's posted successfully. Any ideas?

2


23.6k

Sorry, all is okay. I spent half day to realize that my action what I post to is from another controller and I just add $this->view->disable(); Now it's works!



23.6k

I mistaken. Problem still exists. :((



98.9k

Is the validation code right after the token generation $this->view->token = $this->security->getToken(); ?



23.6k

Yes. Like this: if ($this->security->checkToken()) { / all is ok / } else { / bad token / }

But it works only few times... I don't know why and when it happens it's very mysterious thing.