I have a little issue concerning CSRF security and a login form. The form works as follows:
In the main layout a view helper creates a login form and will later also display a user specific menu when a user has been authenticated.
// User menu viewhelper
public function authentication()
{
// Check if user is authenticated or not
$auth = Zend_Auth::getInstance();
if(!$auth->hasIdentity())
{
$form = new Application_Form_Login();
$form->setAction($this->_view->url(array('action' => 'login'), 'ucp', true));
return $form;
}
else
{
// return user specific menu
}
}
The form posts to a UcpController containing all the user control panel logic, such as logging in/out and displaying user specific information.
// loginAction in UcpController
public function loginAction()
{
if(Zend_Auth::getInstance()->hasIdentity())
{
$this->_redirect('/');
return;
}
$request = $this->getRequest();
$form = new Application_Form_Login();
if($request->isPost())
{
if($form->isValid($post = $request->getPost()))
{
// Do authentication stuff here.
}
}
$this->view->form = $form;
}
Sadly this way the CSRF token fails to match and I’m clueless how to solve this problem. Am I missing something here? Should I remove the CSRF validation all together?
// The CSRF protection element as added to the login form
$this->addElement('hash', 'csrf',
array(
'ignore' => true
)
);
Thanks in advance, your help is greatly appreciated 🙂
Problem solved! I ran into someone who encountered the same problem. The cause is very strange: http://tinyurl.com/3fkg8bk (ZF Forums).
As it turned with me, my favicon was returning an HTTP 500 code as the file was non-existent. This apparently triggers a new CSRF to be generated. I don’t have the slightest clue why, but it solved my problem to create an icon and upload it to the webroot.
Thanks for thinking along with me at least!