Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
CSRF Expiration = 0 causes check to fail
  • Tom DenshamTom Densham
    Hi there, I've been building an application at work and I've just updated it to the 1.1/master branch from the 1.1/develop. Everything seemed to go great (I'm loving the new release btw), except my login page started to tell me that the CSRF check was failing.
    Every time I go to the page it refreshes the CSRF token, but if I set the expiration to something > 0 then it woks and doesn't refresh the token? I know this has been an issue in the past, and I can't see anything in Fuel that has changed and would cause this? Here is my code: app/modules/sbusers/controller/users.php 
           /**
  * The login action.
  * 
  * @access  public
  * @return  void
  */
 public function action_login()
 {
  $login = \Auth::instance();

  if ($login->check())
  {
   \Session::set_flash('info', 'You are already logged in as \''.\Session::get('username').'\'');
  }
  
  if ($_POST) // Check if a form was submitted
  {
   if (\Security::check_token()) // Check for a valid CSRF token
   {
    $validation = \Validation::factory('sbauth_users_login');

    $validation->set_message('required', 'You must enter your :label.');

    $validation->add_field('username', 'Username', 'required');
    $validation->add_field('password', 'Password', 'required');

    if ($validation->run()) // Check all fields are valid
    {
     $logon_user = $login->login($validation->validated('username'), $validation->validated('password'));

     $event_data['loggedin'] = $logon_user;
     $event_data['username'] = $validation->validated('username');
     \Event::trigger('sbusers_after_login', $event_data);
     
     if ($logon_user)
     {
      \Response::redirect();
     }
    }
    else
    {
     \Session::set_flash('error', $validation->show_errors());
    }
   }
   else // CSRF attack or expired CSRF token
   {
    \Session::set_flash('error', 'CSRF attack or expired CSRF token');
   }
  }
  $this->template->title = 'Login';
  $this->template->content = \View::factory('users/login');
 }

    app/modules/sbusers/views/users/login.php 
    <?php echo \Form::open(); ?>
 <fieldset>
  <?php echo \Form::hidden(\Config::get('security.csrf_token_key'), \Security::fetch_token()); ?>
  <?php echo \Form::label('Username', 'username'); ?>
  <?php echo \Form::input('username', Input::post('username'), array('class' => 'text')); ?>
  <?php echo \Form::label('Password', 'password'); ?>
  <?php echo \Form::password('password', null, array('class' => 'text')); ?>
 </fieldset>
 <div class="buttons">
  <p>
  <?php echo \Form::submit('submit', 'Login'); ?>
  <span> - or - </span>
  <?php echo \Html::anchor('signup', 'Signup'); ?>
  </p>
 </div>
<?php echo \Form::close(); ?>
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories