Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

CSRF problems on 2.0.0

I use csrf system identical to vokuro one:

// LoginForm.php

$csrf = new Hidden('csrf');
    new Identical(array(
        'value' => $this->security->getSessionToken(),
        'message' => 'CSRF validation failed'
// login.volt

{{ form.render('csrf', ['value': security.getToken()]) }}

and it's working fine on Phalcon 1.3.4. On 2.0.0 it is working only on first form submit. On every next submit it returns 'CSRF validation failed'.

Any workaround? :I


getToken returns a new token each time, in your code you are getting the token from session and then generating a new one. I've extended Phalcon\Security with:

public function getOrCreateToken() {
    return $this->_dependencyInjector['session']->get('$PHALCON/CSRF$') ?: $this->getToken();


thanks, got it working now :)


Just FYI,

this could be the reason why your CSRF stopped working: