Hi, I've got a problem with my login form that occurs only after a session timeout when I was on a form, posting data. My application has global CSRF protection. The facts are these...
1. I log in successfully. 2. I go to a page with a form (that is csrf protected). This action is "secure", I need to be authenticated to go to it. 3. I open a second tab and log off (in this new tab) to simulate a session time-out. 4. In my first tab, I try to post some data using the form. As I am not authenticated any more, I'm forwarded to the login action by the default security filter. The login form displays validation errors: invalid login/password, CSRF token required, login required, password required, well... 5. I type my login and my password and try to log in, and I get again the validation error "CSRF token required"... Damn'! After debugging, it appears that the hidden csrf field has no value! <input type="hidden" name="login[_csrf_token]" id="login__csrf_token" / > Actually, in sfForm::addCSRFProtection(), in this last line: $this->setDefault(self::$CSRFFieldName, $token); This line is executed, and both $CSRFFieldName and $token have the right value, but it seems that the form doesn't care of this default value, since it has another value in mind? Does anyone have met this problem? Or does anyone have a solution or an idea? Thanks! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
