We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

CSRF problems on 2.0.0

I use csrf system identical to vokuro one:

// LoginForm.php

$csrf = new Hidden('csrf');
    new Identical(array(
        'value' => $this->security->getSessionToken(),
        'message' => 'CSRF validation failed'
// login.volt

{{ form.render('csrf', ['value': security.getToken()]) }}

and it's working fine on Phalcon 1.3.4. On 2.0.0 it is working only on first form submit. On every next submit it returns 'CSRF validation failed'.

Any workaround? :I


getToken returns a new token each time, in your code you are getting the token from session and then generating a new one. I've extended Phalcon\Security with:

public function getOrCreateToken() {
    return $this->_dependencyInjector['session']->get('$PHALCON/CSRF$') ?: $this->getToken();


thanks, got it working now :)


Just FYI,

this could be the reason why your CSRF stopped working: