I'm having problems with CSRF verification on my sites because setDefault and clear functions don't seem to have any effect to the form elements.
The CSRF field is defined in this way (for testing):
$csrf = new Hidden('csrf'); $csrf->setUserOption('type', 'hidden'); $csrf->addValidator(new Identical([ 'value' => $this->security->getSessionToken(), 'message' => 'CSRF validation failed, expected '. $this->security->getSessionToken() ])); $csrf->setDefault($this->security->getToken()); $this->add($csrf);
It works successfully on the first submit, but submitting again will fail because the first token gets remembered as the value of the csrf field. Adding $csrf->clear(); changes nothing. I am yet to find a working way of resetting it to the new token. Any help would be appreciated!