Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Cannot get CSRF to work...

Hi guys,

I am trying to implement CSRF protection to all of my forms, but I cannot seem to be able to make it work. This is how I declare my field in my form:

$csrf = new Hidden('csrf');
$csrf->addValidator(new Identical(array(
  'value' => $this->security->getSessionToken(),
  'message' => 'CSRF validation failed'

And this is how I am rendering it in the view:

{{ form.render('csrf', ['value': security.getToken()]) }}

And I am using

$this->request->isPost() && $this->security->checkToken()

to make sure I am getting a proper call. However, I cannot seem to be able to save a record (using this in a create action), but I am not getting any error messages either....

Any ideas?


Hello George , Can you view source in html and check csrf value in your form ?

i think csrf should be hidden value because phalcon will check after send request to your controller, pls check on document

Hi xeleniumz,

I can see the hidden field in the form just fine, with its value...


you want to create csrf form and let user insert csrf value ?


do you have any ajax requests between form display and form submision ?

do you have any ajax requests between form display and form submision ?

Hey @Izo, I'm planning on using CSRF in our project, but there could be ajax requests between page load and submit. Is there an existing fix/hack for this?


kind a .. token should not be deleted after checking, you can see here:


also if it is a must to have this i would use some external source, eather write it myself or use some others like this one..

its rather simple and doesnt require gazilion amount of knowage. As someone mension it here you can check this repo.

Laravel seems to be adding some custom headers, which i think its better, just because you dont have to put any hidden fields and shit. Source here : . Also there implementation is in the routes themselves which i also prefer. docs here: .

But i am not an expert. I think i preffer google's recapcha. Untless its a banking site, if so none of what i said is valid.


you want to create csrf form and let user insert csrf value ?

No, the form just creates a hidden field with the value and name inserted, like on the documentation.

edited Jul '16


Now I think I managed to make this work, but another issue came up. I am using the following code in my model in order to insert a timestamp upon creation/update of a record:

public function beforeCreate()
    $this->created = new RawValue('now()');

public function beforeUpdate()
    $this->updated = new RawValue('now()');

But when I try to submit the form, I get an error saying that created and updated is required, meaning those two functions do not fire...

EDIT: Never mind, this was just a typo in my model...


I ended up using this code, which seems to work just fine:

$this->add(new Hidden('csrf', array(
  'name'        => $this->security->getTokenKey(),
  'value'       => $this->security->getToken()

Now checkToken() works correctly and my controller stopped complaining...