Hi all, I have a problem in CSRF security functionality in form. So there is my setup:
Form class:
class SignupForm extends Base
{
public function initialize()
{
$email = new Text('email');
$email->setLabel($this->translation->_('E-Mail'))
->setAttribute('placeholder', $this->translation->_('E-Mail'))
->addValidators(array(
new PresenceOf(array(
'message' => $this->translation->_('The e-mail is required'),
'cancelOnFail' => true
)),
new Email(array(
'message' => $this->translation->_('The e-mail is not valid'),
))
));
$this->add($email);
// Sign Up
$this->add(new Submit('signUp', array(
'value' => $this->translation->_('Sign up')
)));
$csrf = new Hidden('csrf');
$csrf->addValidator(new Identical(array(
'value' => $this->security->getSessionToken(),
'message' => $this->translation->_('This request was aborted because it appears to be forged')
)));
$this->add($csrf);
}
}
and form scritp:
{{ form('class': 'ui large form') }}
{{ form.render('csrf', ['value': security.getToken()]) }}
{{ form.render('email') }}
{{ form.render('signUp') }}
</form>
I show validation message on top of the form and let user correct it and submit again!
But when I submit form on itself (get and post in one action), csrf
value just populate from last post values while security.getToken()
generate and save new fresh token in session bag (line {{ form.render("csrf", ["value": security.getToken()]) }}
in script runs already)! so secound submit does not validate this old csrf with new generated token!
How can I force my hidden csrf field to get new value instead of populate old post value?
Thanks