Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
CSRF Expiration = 0 causes check to fail
  • Hi there, I've been building an application at work and I've just updated it to the 1.1/master branch from the 1.1/develop. Everything seemed to go great (I'm loving the new release btw), except my login page started to tell me that the CSRF check was failing.
    Every time I go to the page it refreshes the CSRF token, but if I set the expiration to something > 0 then it woks and doesn't refresh the token? I know this has been an issue in the past, and I can't see anything in Fuel that has changed and would cause this? Here is my code: app/modules/sbusers/controller/users.php
      * The login action.
      * @access  public
      * @return  void
     public function action_login()
      $login = \Auth::instance();
      if ($login->check())
       \Session::set_flash('info', 'You are already logged in as \''.\Session::get('username').'\'');
      if ($_POST) // Check if a form was submitted
       if (\Security::check_token()) // Check for a valid CSRF token
        $validation = \Validation::factory('sbauth_users_login');
        $validation->set_message('required', 'You must enter your :label.');
        $validation->add_field('username', 'Username', 'required');
        $validation->add_field('password', 'Password', 'required');
        if ($validation->run()) // Check all fields are valid
         $logon_user = $login->login($validation->validated('username'), $validation->validated('password'));
         $event_data['loggedin'] = $logon_user;
         $event_data['username'] = $validation->validated('username');
         \Event::trigger('sbusers_after_login', $event_data);
         if ($logon_user)
         \Session::set_flash('error', $validation->show_errors());
       else // CSRF attack or expired CSRF token
        \Session::set_flash('error', 'CSRF attack or expired CSRF token');
      $this->template->title = 'Login';
      $this->template->content = \View::factory('users/login');

    <?php echo \Form::open(); ?>
      <?php echo \Form::hidden(\Config::get('security.csrf_token_key'), \Security::fetch_token()); ?>
      <?php echo \Form::label('Username', 'username'); ?>
      <?php echo \Form::input('username', Input::post('username'), array('class' => 'text')); ?>
      <?php echo \Form::label('Password', 'password'); ?>
      <?php echo \Form::password('password', null, array('class' => 'text')); ?>
     <div class="buttons">
      <?php echo \Form::submit('submit', 'Login'); ?>
      <span> - or - </span>
      <?php echo \Html::anchor('signup', 'Signup'); ?>
    <?php echo \Form::close(); ?>

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!