We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.
  1. Home
  2. MVC

Dispatcher forward and CSRF

Using dispatcher forward and csrf, is not working in 2.0.3. Example:

  • I have a user registration form with a CSRF field.
  • I post data to createAction().
  • I check the form for errors
  • If form has errors I use 
return $this->dispatcher->forward(['action' => 'register']);
  • I fix the errors in my form and I repost the data.
  • Now I get CSRF validation error.

If it's a bug, this is a huge problem and needs to be fix immediatly since it has a big impact on forms. If this happens due to some changes in 2.0* that I am not aware of, I would need your help to understand what it is happening.

Thanks



1.1k

the CSRF expires per use, you have to pass false in the third parameter (destroyIsValid) to avoid this. https://github.com/phalcon/cphalcon/blob/2.0.x/phalcon/security.zep#L341



51.1k

The thing is that using forms you validate it like this:

        $csrf = new Hidden('csrf');

        $csrf->addValidator(
            new Identical([
                'value' => $this->security->getSessionToken(),
                'message' => 'CSRF validation failed',
            ])
        );

        $this->add($csrf);

And you assing the the value :

{{ form.render('csrf', {'value':security.getToken()}) }}

So we never actually call checkToken(). You suggest to change the way I validate it ?



657

Any suggestion please?