Cross-Site Request Forgery (CSRF) protection

CSRF protection is against the form elements such as in user registration or adding comments are vulnerable to this attack. CSRF is created to prevent the form values from being sent outside our application. To fix this, we generate a random nonce (token) in each form.

We add the token in the session and then validate the token. By comparing the form posts data back to the application to the stored token in the session with the one submitted by the form.

Example

<?php echo Tag::form('session/login') ?>

    <!-- Login and password inputs ... -->

    <input type='hidden' name='<?php echo $this->security->getTokenKey() ?>'
        value='<?php echo $this->security->getToken() ?>'/>
</form>

Then in the controller's action you can check if the CSRF token is valid:

<?php

use Phalcon\Mvc\Controller;

class SessionController extends Controller
{
    public function loginAction()
    {
        if ($this->request->isPost()) {
            if ($this->security->checkToken()) {
                // The token is OK
            }
        }
    }
}

Next TopicPhalcon Internationalization

← prev next →