StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POHow to CSRF secure a form that posts to another page?
text
Body
copied!<p>I have a little issue concerning CSRF security and a login form. The form works as follows:</p> <p>In the main layout a view helper creates a login form and will later also display a user specific menu when a user has been authenticated.</p> <pre><code> // User menu viewhelper public function authentication() { // Check if user is authenticated or not $auth = Zend_Auth::getInstance(); if(!$auth->hasIdentity()) { $form = new Application_Form_Login(); $form->setAction($this->_view->url(array('action' => 'login'), 'ucp', true)); return $form; } else { // return user specific menu } } </code></pre> <p>The form posts to a UcpController containing all the user control panel logic, such as logging in/out and displaying user specific information.</p> <pre><code> // loginAction in UcpController public function loginAction() { if(Zend_Auth::getInstance()->hasIdentity()) { $this->_redirect('/'); return; } $request = $this->getRequest(); $form = new Application_Form_Login(); if($request->isPost()) { if($form->isValid($post = $request->getPost())) { // Do authentication stuff here. } } $this->view->form = $form; } </code></pre> <p>Sadly this way the CSRF token fails to match and I'm clueless how to solve this problem. Am I missing something here? Should I remove the CSRF validation all together?</p> <pre><code>// The CSRF protection element as added to the login form $this->addElement('hash', 'csrf', array( 'ignore' => true ) ); </code></pre> <p>Thanks in advance, your help is greatly appreciated :)</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload