We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.
  1. Home
  2. Security

CSRF problems on 2.0.6

Hi,

After moving to Phalcon2 from 1.3 I've noticed that my CSRF tokens have stopped working.

I'm sending AJAX calls to the server (without in-between page reloads) and include CSRF token with each post.

The first AJAX calls completes successfully, however each subsequent call fails CSRF valiation.

Debugging it I've noticed that after first call, the $PHALCON/CSRF$ and $PHALCON/CSRF/KEY$ keys are lost from session object (all other session variables are still there).

That obviously is causing CSRF validation error.

Does anyone have an idea what could be happening that causes the loss of $PHALCON/CSRF keys?

Thanks!



51.3k
Accepted
answer

ok, I've figured it out.

CSRF behaviour has changed in Phalcon 2 - successfully validated tokens are now destroyed.

This did the trick:

$this->security->checkToken(null, null, false); // FALSE to tell Phalcon to keep the token.


110

I have been looking for this solution for a while. Thank you.



2.8k

Still useful in 2018 :)