We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Csrf [SOLVED]

How to correctly use crsf?

        $csrf = new Hidden('csrf',
            array(
            'name' => $this->security->getTokenKey(),
            'value' => $this->security->getToken(),
        ));
        $csrf->addValidator(
            new Identical(array(
                'value' => $this->security->getSessionToken(),
                'message' => 'CSRF validation failed'
            ))
        );
        $this->add($csrf);

OR

 $csrf = new Hidden('csrf',
            array(
            'value' => $this->security->getSessionToken(),
        ));
        $csrf->addValidator(
            new Identical(array(
                'value' => $this->security->getSessionToken(),
                'message' => 'CSRF validation failed'
            ))
        );
        $this->add($csrf);


32.4k

Actually, using only the value is enough secure for the most of cases. A token live only between two requests. So a hacker can only one attempt to guess. It's just impossible, even without a random name. But... if someone even amazingly guess it once... you can be sure such event will not repeat for the next septillion years...

getToken and getTokenKey will (re)generate new hash in the session, whereas getSessionToken only get the hash value from the session. So, you should use getToken for the newly created form, and getSessionToken for checking. Please check the Vokuro example. I also use csrf for preventing users to double submit the form.



11.8k

Thank you all =)



785

Hi,

I have a strange behavior with Csrf. On Safari and Firefox the first attempt fails, than it works every time after first fail (or after refresh the page). However on Chrome it does not work, never.

I printed out the post form and the session token:

firefox: 'ylzSyttP6UPUAGT' => string '27a71405a83b9fb24ec2e0de82176c79' (length=32) vs string '27a71405a83b9fb24ec2e0de82176c79' (length=32) chrome: 'tcUnmPBQ1HHIYmhv' => string '4cd119033e49ae97e15cc1ff8fae7fe9' (length=32) vs string 'ab02ca662e82d4847b01a7c7bc229bb5' (length=32)

Any help will be appreciate! Thanks, R



8.1k

Phalcon has such behavior: you can use any form on your page ( often use a whole herd of modal windows ) Tokens for each form are generated and stored in session. Thus you can check last token generated, and last only. The rest of the behavior subject to the rules of sessions PHP



785

here is the full code with the issue, i left there the var_dump: https://github.com/avra911/test.phalcon/tree/master/app

maybe with the code somebody can figured out what is wrong and i repeat this is happening every time on chrome, not firefox :-|

after searching the forum i found https://forum.phalcon.io/discussion/922/csrf-protection-not-working#C3567 which is exactly the same issue. it looks like csrf has a strange behavior on index/index.

i need to thanks, @Max Castro (changing "/" route to something different than index/index worked perfectly)

thanks