We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Dispatcher forward and CSRF

Using dispatcher forward and csrf, is not working in 2.0.3. Example:

  • I have a user registration form with a CSRF field.
  • I post data to createAction().
  • I check the form for errors
  • If form has errors I use
return $this->dispatcher->forward(['action' => 'register']);
  • I fix the errors in my form and I repost the data.
  • Now I get CSRF validation error.

If it's a bug, this is a huge problem and needs to be fix immediatly since it has a big impact on forms. If this happens due to some changes in 2.0* that I am not aware of, I would need your help to understand what it is happening.

Thanks

the CSRF expires per use, you have to pass false in the third parameter (destroyIsValid) to avoid this. https://github.com/phalcon/cphalcon/blob/2.0.x/phalcon/security.zep#L341



51.1k

The thing is that using forms you validate it like this:

        $csrf = new Hidden('csrf');

        $csrf->addValidator(
            new Identical([
                'value' => $this->security->getSessionToken(),
                'message' => 'CSRF validation failed',
            ])
        );

        $this->add($csrf);

And you assing the the value :

{{ form.render('csrf', {'value':security.getToken()}) }}

So we never actually call checkToken(). You suggest to change the way I validate it ?

Any suggestion please?