We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.
  1. Home
  2. Security

Cannot get CSRF to work...

Hi guys,

I am trying to implement CSRF protection to all of my forms, but I cannot seem to be able to make it work. This is how I declare my field in my form:

$csrf = new Hidden('csrf');
$csrf->addValidator(new Identical(array(
  'value' => $this->security->getSessionToken(),
  'message' => 'CSRF validation failed'
)));
$csrf->clear();
$this->add($csrf);

And this is how I am rendering it in the view:

{{ form.render('csrf', ['value': security.getToken()]) }}

And I am using

$this->request->isPost() && $this->security->checkToken()

to make sure I am getting a proper call. However, I cannot seem to be able to save a record (using this in a create action), but I am not getting any error messages either....

Any ideas?



11.0k

Hello George , Can you view source in html and check csrf value in your form ?

i think csrf should be hidden value because phalcon will check after send request to your controller, pls check on document

https://docs.phalcon.io/en/latest/reference/security.html



8.9k

Hi xeleniumz,

I can see the hidden field in the form just fine, with its value...



11.0k

you want to create csrf form and let user insert csrf value ?



85.5k

do you have any ajax requests between form display and form submision ?



77.7k
in reply to Izo

do you have any ajax requests between form display and form submision ?

Hey @Izo, I'm planning on using CSRF in our project, but there could be ajax requests between page load and submit. Is there an existing fix/hack for this?



85.5k

kind a .. token should not be deleted after checking, you can see here: https://forum.phalcon.io/discussion/8093/csrf-problems-on-206



85.5k

also if it is a must to have this i would use some external source, eather write it myself or use some others like this one.. https://github.com/schnittstabil/csrf-tokenservice

its rather simple and doesnt require gazilion amount of knowage. As someone mension it here https://github.com/phalcon/forum/issues/194#issuecomment-231327757 you can check this repo.

Laravel seems to be adding some custom headers, which i think its better, just because you dont have to put any hidden fields and shit. Source here : https://github.com/laravel/framework/blob/5.0/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php . Also there implementation is in the routes themselves which i also prefer. docs here: https://laravel.com/docs/4.2/security .

But i am not an expert. I think i preffer google's recapcha. Untless its a banking site, if so none of what i said is valid.

Cheers.



8.9k
in reply to xeleniumz

you want to create csrf form and let user insert csrf value ?

No, the form just creates a hidden field with the value and name inserted, like on the documentation.



8.9k
edited Jul '16

UPDATE:

Now I think I managed to make this work, but another issue came up. I am using the following code in my model in order to insert a timestamp upon creation/update of a record:

public function beforeCreate()
{
    $this->created = new RawValue('now()');
}

public function beforeUpdate()
{
    $this->updated = new RawValue('now()');
}

But when I try to submit the form, I get an error saying that created and updated is required, meaning those two functions do not fire...

EDIT: Never mind, this was just a typo in my model...



8.9k
Accepted
answer

I ended up using this code, which seems to work just fine:

// CSRF
$this->add(new Hidden('csrf', array(
  'name'        => $this->security->getTokenKey(),
  'value'       => $this->security->getToken()
)));

Now checkToken() works correctly and my controller stopped complaining...