Hi,
I can't seem to get the CSRF check working, could you please help?
This is the code:
LoginForm.php
<?php
public function initialize() {
$crf_name = $this->security->getTokenKey();
$crf_value = $this->security->getToken();
$crf = new Hidden("crf");
$crf->setAttribute("name", $crf_name);
$crf->setAttribute("value", $crf_value);
$this->add($crf);
...
The hidden element crf
is created like this:
<html>
<input type="hidden" id="crf" name="..." value="...">
LoginController.php
<?php
...
if ($this->request->isPost()) {
if ($this->security->checkToken()) {
...
The value exists in the $_POST
and there is a value in the $_SESSION
however it never seems to pass the check. I don't know much about this, the value in $_POST
and $_SESSION
differ but I assume that is the point.
I've tried changing the id of the crf element to the value of getTokenKey()
such that the value returned by getTokenKey()
exists in both the id and the name, result is similar to this:
<html>
<input type="hidden" id="..." name="..." value="...">
Perhaps you can see what I've done wrong.