FuelPHP Forums

Niedzielnya

Hi, I have small problem with CSRF validation.

In my config file i have "csrf_autoload" set to auto and my form have hidden csrf token field. But on submitt i got error "CSRF validation failed, Possible hacking attempt detected!". What am i missing?

Harro

You are sure $_POST contains the hidden csrf token field? And you are not checking manually as well (because that will invalidate the token)? Having multiple windows with forms open?

You can use http://docs.fuelphp.com/classes/security.html#/method_js_set_token on your forms to make sure the hidden token field contains the correct token, to handle token rotation with multiple forms or multiple windows.

Niedzielnya

I'm creating view with:

$data['token'] = Security::generate_token();

return Responce::forge(View::forge('login.twig', $data));

In page source code i see:

with long alfanumeric value of field.

I'm not checking for token manually and i have only one window with form opened.

Harro

Did you configure that fieldname in the config? Because by default the field name is "fuel_csrf_token".

Niedzielnya

Yes, i changed that:

'csrf_token_key' => 'csrf_token'

Harro

You use Security::generate_token(), which just generates a random token. It doesn't have anything to do with csrf checking. You need to use Security::fetch_token() instead.

Niedzielnya

Yes, that solved my problem. Thank You very much.

rodas007

I had a similar problem where I set "csrf_autoload" to true and while also manually checking with "Security::check_token()." Thanks to this post I was able to solve that small bug. But I don't see it clearly stated in the documentation.

Harro

Checking the token invalidates and rotates the current token, so you can check only once. If you do both, you end up with invalid token errors all the time.

I'll see how this can be clarified in the docs.

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.

Howdy, Stranger!

Categories

In this Discussion