Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

CSRF problems on 2.0.6

Hi,

After moving to Phalcon2 from 1.3 I've noticed that my CSRF tokens have stopped working.

I'm sending AJAX calls to the server (without in-between page reloads) and include CSRF token with each post.

The first AJAX calls completes successfully, however each subsequent call fails CSRF valiation.

Debugging it I've noticed that after first call, the $PHALCON/CSRF$ and $PHALCON/CSRF/KEY$ keys are lost from session object (all other session variables are still there).

That obviously is causing CSRF validation error.

Does anyone have an idea what could be happening that causes the loss of $PHALCON/CSRF keys?

Thanks!



31.5k
Accepted
answer

ok, I've figured it out.

CSRF behaviour has changed in Phalcon 2 - successfully validated tokens are now destroyed.

This did the trick:

$this->security->checkToken(null, null, false); // FALSE to tell Phalcon to keep the token.

I have been looking for this solution for a while. Thank you.