I am having validation issues with CSRF tokens and Zend_Form. I have read
other posts and it has only led me to strange issues now...
First, I have no issues at all with the CSRF element validating if I just
simply 'echo' my entire form in my view just like any 'beginning zend'
tutorial will show "echo $this->form;", but I need fine control over all of
my elements in each form, so I still create my form in /forms (extending
Zend_Form), pass it to the view from my controller and put each element in
the view like shown below.., this is when things started to go wrong with
the CSRF elements.
echo $form->username->renderLabel() .
$this->formText('username', '', array(
'required' => True,
));
echo $form->password->renderLabel() .
$this->formPassword('password', '', array(
'required' => True,
));
echo $form->returnUrl->renderLabel() .
$form->returnUrl->renderViewHelper();
echo $form->csrf_token->renderLabel() .
$form->csrf_token->renderViewHelper();
I kept getting the 'tokens provided do not match' validation error. After
reading some various posts (some related to the favicon.ico 404) I realized
that a redirect messes with the CSRF token (makes sense). In my login
controller I 'return' a redirect upon successful login, but if a user was
headed somewhere else in the app, but had to login again due to a session
timeout, then they get redirected to that page instead of just the 'home'
page. I was not originally 'returning' that redirect, now I am... Here is
the piece of my login controller...
if ($form->isValid($request->getPost())) {
if ($this->_process($form->getValues())) {
$logMessage = 'Successful Login by User: ' .
$form->getValue('username') . ' using IP address: ' .
$_SERVER['REMOTE_ADDR'];
$logger = Zend_Registry::get('logger');
$logger->log($logMessage, Zend_Log::INFO);
$returnUrl = $form->getElement('returnUrl')->getValue();
if ( !empty($returnUrl) && $returnUrl != "/login" ) {
// previously I did not use keyword 'return' here
return
$this->_helper->getHelper('Redirector')->setGotoUrl($returnUrl);
} else {
return $this->_helper->redirector('index',
'index');
}
}
Here is where it gets strange, I commented out all redirects and everything
"CSRF" started working just fine (of course not going anywhere). Then I
un-commented the redirects and all of a sudden it works fine too (this is
the strange part). Now the only time I can get it to mismatch is if the
token went stale (timeout => 60000).
Any help in this area would be much appreciated
--
View this message in context:
http://zend-framework-community.634137.n4.nabble.com/Problems-with-CSRF-tokens-getting-strange-tp4656781.html
Sent from the Zend Framework mailing list archive at Nabble.com.
--
List: [email protected]
Info: http://framework.zend.com/archives
Unsubscribe: [email protected]
