Reputation: 1
Phalcon csrf fail on server
I am using phalcon 2.0.9.
I have a login form, with csrf protection.
This is the code in the form:
<input type='hidden' id='token' name='{{ security.getTokenKey() }}' value='{{ security.getToken() }}' />
And this is the validation in the controller:
if(!$this->security->checkToken()) {
// error code here
}
It works perfectly on localhost, butn when I upload it to the server, it always fails. I use ajax in login. After the post request, the csrf token in session is different than the token in the post.
What could cause this?
Upvotes: 0
Views: 1691
Answers (1)
Reputation: 40
Credit : Daniel @ https://forum.phalconphp.com/discussion/922/csrf-protection-not-working
Make sure you're using the latest Phalcon version on your server as well
And either use the server configurations given by the users on the forum or move your notfound(404) action to a controller that doesn't include CSRF TokenKey & Key generation on it's view.
When there's a item favion/robot.txt/img etc that is not found on the server this hits the 404 action and you end up have the CSRF tokens regenerated.
Hope that would help.
Upvotes: 0
Related Questions
- Do login forms need tokens against CSRF attacks?
- How to properly add cross-site request forgery (CSRF) token using PHP
- Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'
- Why does the CSRF token in Rails not prevent multiple tabs from working properly?
- CSRF - sending ajax requests to get token
- Is my CSRF protection method secure?
- Internal server error after submitting a form with CSRF protection enabled in codeigniter
- Using CSRF Protection Service with Ajax in Phalcon
- phalcon php csrf token validation fails when working via ajax
- csrf chack with phalcon php and angular