We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.
  1. Home
  2. Security

Doesn't "checkToken()" function in Round-Robin in "Load Balancer"?

”checkToken()” which used Load Balancer in AWS didn't function. By what kind of idea is security check being performed?

$.ajax({
    url: '/api/checkToken'
    type: 'POST',
    dataType: 'json',
    data: {
      'token_key':'{{security.getTokenKey()}}',
      'token':'{{security.getToken()}}'
    },
    success: function(json){
      switch(json.status){
        case "ok":
          // processing...
          break;
        case "ng":
          // processing...
          break;
      }
    }
});
public function checkTokenAction()
{
  $tokenKey = $this->request->getPost("token_key");
  $token    = $this->request->getPost("token");

  header("Content-Type: application/json");
  if( $this->security->checkToken($tokenKey, $token) ){
        echo '{"status":"ok"}';
  }else{
        echo '{"status":"error"}';
  }
  return;
}


34.6k
Accepted
answer

You can read the code to see understand better how it works: https://github.com/phalcon/cphalcon/blob/2.0.x/phalcon/security.zep#L341



574

Or it depends on way having it session information, and I decide. When managing at Database and memcached where you could synchronize, I found out that it's possible.

Thank you.



3.7k

I know this has been answered but for google sake here is my small solution

One of the issue is the non persistent token in session due to checkToken() destroys session token variables.

A simple new security class

class Security extends \Phalcon\Security
{
    public function checkToken($tokenKey = null,$tokenValue = null, $destroyIfValid = false)
    {
        return parent::checkToken($tokenKey,$tokenValue, $destroyIfValid);
    }
}

service call

$di->set('security', function() {
        $security = new Security();
        $security->setWorkFactor(12);
        return $security;
    }, true);

checkToken(null, null, false) will not destroy security Session variables, small implementation so you dont have to implement your own security algoritim.