Hi. I have very strange behavior in my app

CSRF works fine in all static routes. like

$group->add( '/login', [ 'controller' => 'auth', 'action' => 'login' ] )->setName( "auth-login" );

And Not working in routes with some var at the end.

$group->add( '/reset/{code}',  [ 'controller' => 'auth', 'action' => 'resetPassword' ]   )->setName( "auth-reset" );

BUT, if I go to this url with trailing slash at the end, than submit form, $this->security->checkToken() will return true.

OR if I configure route like

<?php
$group->add( '/reset/{code}/foo',  [ 'controller' => 'auth', 'action' => 'resetPassword' ]   )->setName( "auth-reset" );

CSRF will work properly.

Why??? How to fix it?

P.S. Chrome - broblem stable, issue reapiting every time FF - First time - fail, all next times - it works

favicon, robots and other files exist.

All code was writen by https://docs.phalconphp.com/en/latest/reference/security.html