Is beforeExecuteRoute a good place to put CSRF checking?

Question

Is beforeExecuteRoute a good place to put CSRF checking?

Martyn Bissett Dec '14

Created Dec '14	Last Reply Dec '14	Replies 1	Views 582	Votes 1

Martyn Bissett 8.3k

Dec '14

I'm learning how to handle CSRF in Phalcon and I want to automate the process so that I don't need to add this to every controller/action. I guess all my forms that POST (does this handle PUT, DELETE too) will need to have the hidden field, that should be OK. Is this a good approach:

<?php

use Phalcon\Mvc\Controller;

class ControllerBase extends Controller
{
    public function beforeExecuteRoute()
    {
        // csrf check
        if ($this->request->isPost()) {
            if (! $this->security->checkToken()) {
                throw new \Exception('Invalid security token');
            }
        }
    }
}

.. so just before action being invoked, it will check if it is a POST and if the token is valid.

1

Dylan Anderson · Answer 1 · 2014-12-09T14:47:39-07:00

I think that's a good place to put it - as an invalid CSRF token is pretty much a kill-switch for the request.