See also this, with a possible patch: http://trac.symfony-project.org/ticket/3857
Michael On 22 Jul., 00:10, Ian <[EMAIL PROTECTED]> wrote: > This ticket may be the issue:http://trac.symfony-project.org/ticket/4000 > > I do clear and re-add all credentials at the start of every page > request so its a good chance that its regenerating the session every > single time, causing the error. > > On Jul 21, 4:03 pm, Ian <[EMAIL PROTECTED]> wrote: > > > Ok well I figured out whats going on. > > > Consider this method of sfForm: > > > public function getCSRFToken($secret) > > { > > return md5($secret.session_id().get_class($this)); > > } > > > session_id() is generating a random ID on every page request... So if > > you submit a form, it generates a new session_id(), causing the md5 to > > be different and thus always failing the check from the bound > > _csrf_token. I'm using sfPDOSessionStorage for sessions, so maybe a > > recent change affected this. I'll do some more digging, but before I > > open a ticket, has anyone else run into this issue? > > > On Jul 21, 11:49 am, Ian Ricketson <[EMAIL PROTECTED]> wrote: > > > > Any reason why upgrading from 1.0 to 1.1 would cause all my forms to > > > report CSRF errors like: > > > csrf token: CSRF attack detected. > > > Worked before, but I dunno what changed. Any ideas?--Ian --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
