Ok well I figured out whats going on.
Consider this method of sfForm:
public function getCSRFToken($secret)
{
return md5($secret.session_id().get_class($this));
}
session_id() is generating a random ID on every page request... So if
you submit a form, it generates a new session_id(), causing the md5 to
be different and thus always failing the check from the bound
_csrf_token. I'm using sfPDOSessionStorage for sessions, so maybe a
recent change affected this. I'll do some more digging, but before I
open a ticket, has anyone else run into this issue?
On Jul 21, 11:49 am, Ian Ricketson <[EMAIL PROTECTED]> wrote:
> Any reason why upgrading from 1.0 to 1.1 would cause all my forms to report
> CSRF errors like:
> csrf token: CSRF attack detected.
> Worked before, but I dunno what changed. Any ideas?--Ian
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
-~----------~----~----~----~------~----~------~--~---
