We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.
  1. Home
  2. Security

CSRF

I see that there is two ways to check CSRF

First way could be in a form:

$csrf = new Hidden('csrf');

    $csrf->addValidator(new Identical(array(
        'value' => $this->security->getSessionToken(null, null, false),
        'message' => 'CSRF validation failed'
    )));
    <input type="hidden" name="crsf}" value="{{ security.getToken() }}">

Second way is to encrypt the name and value, like in the first exampel the name was just Csrf: if ($this->security->checkToken(null, null, false)) { // continue }

<input type="hidden" name="{{ security.getTokenKey() }}" value="{{ security.getToken() }}">

Which type should i use?



145.0k

Well i think the first option is nice, cuz you dont have additional code block in your code :)



40.6k

But what is it the safest way?



145.0k

Both are imho safe, the first option looks better.