Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
csrf help
  • samitrimalsamitrimal
    hello i want some help to use the csrf in fuelphp. Is there any tutorial for this . i read the documentation but im confused. it would be helpful someone would show me the simple example regarding this. thank u in advance
  • HarroHarro
    I assume you've read http://fuelphp.com/docs/general/security.html#csrf ? It's quite simple actually:
    - step 1: add a hidden field to your form containing the csrf token
    - step 2: before processing the form, check if the form contains the correct token And that's all. Exactly as described in the documentation. Note that currently only one form is supported. Other forms simultaneously opened (either on the same page or in a different tab or window) will use the same token. Once a token is validated, a new one is generated, which renders all other forms invalid. For the same reason, using the back button of your browser to resubmit a form no longer works. There's an update on the roadmap to add multi-form support to csrf security.
  • Jelmer SchreuderJelmer Schreuder
    @Wanwizard that's why there's a JS helper that can be printed by a method (it's in docs, can't remember right now) if you use that to grab the value from the cookie onsubmit there's no problem.
  • HarroHarro
    Hmm... That needs a lot more documentation. I've seen that one, but never understood what it's for. I'll try that, but it doesn't look that easy. All the javascript function does is return the cookie value. In an onsubmit, you need to add the code to find the field in the form, and update the value too.
  • samitrimalsamitrimal
    @WanWizard , thank u
  • HarroHarro
    I've added a new js_set_token() method to the Security class, to aid in this situation. You can now do this in your view:
    <?php echo \Security::js_set_token(): ?>

<form name="myform" on submit="fuel_set_csrf_token(this);">
    <!-- your form goes here --> ('on' and 'submit' is one word! the forum eats it if I use that)
</form>

    This will automatically update the hidden csrf token field in the form as soon as you submit it.
  • samitrimalsamitrimal
    thank u i ll try to apply it .
  • HarroHarro
    I've implemented it in my app now, and it works as advertised.
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion