I am using Zend_Form_Element_Hash to protect csrf on my website. Below is the code in my Form.php
$token = new Zend_Form_Element_Hash('token', 'csrf');
$token->setSalt(md5(uniqid(rand(), TRUE)));
$token->initCsrfToken();
$token->initCsrfValidator();
$this->addElement($token);
When I check for $form->isValid in my controller I always get the below error
The two given tokens do not match
Would appreciate any help here!
分享 Csrf is stored in session, session name for csrf depends on salt. If salt is random, session name will be random too. So you couldn't get csrf from session to compare it with csrf from post. Make salt constant for this form.
Don't call initCsrfToken, this method resets csrf and is called
automatically on render.
Better transmit salt on element creation
$token = new Zend_Form_Element_Hash('token', 'csrf', array('salt' => 'secure'));
$this->addElement($token);
