Phalcon (CSRF)

by Online Tutorials Library July 14, 2022

Cross-Site Request Forgery (CSRF) protection

CSRF protection is against the form elements such as in user registration or adding comments are vulnerable to this attack. CSRF is created to prevent the form values from being sent outside our application. To fix this, we generate a random nonce (token) in each form.

We add the token in the session and then validate the token. By comparing the form posts data back to the application to the stored token in the session with the one submitted by the form.

Example

  <?php echo Tag::form(‘session/login’) ?>        <!– Login and password inputs … –>        <input type=’hidden’ name='<?php echo $this->security->getTokenKey() ?>’          value='<?php echo $this->security->getToken() ?>’/>  </form>  

Then in the controller’s action you can check if the CSRF token is valid:

  <?php    use PhalconMvcController;    class SessionController extends Controller  {      public function loginAction()      {          if ($this->request->isPost()) {              if ($this->security->checkToken()) {                  // The token is OK              }          }      }  }  

Next TopicPhalcon Internationalization

Phalcon (CSRF)

Cross-Site Request Forgery (CSRF) protection

Insert PDF into Word File

Blending Modes in Photoshop

You may also like