I have a load of ZF1 salted hash elements in various forms on my site and 99% of the time they work fine but occasionally they fail. This usually seems to happen after a redirect but not within the redirect hop. The form is created after the redirect in a separate action so I don’t understand why the redirect would be affecting it. The forms that fail are generating their tokens correctly, they just don’t match after the POST and validation.
Any ideas?
Hash element below:
$token = $this->createElement(
'hash',
'token',
array('timeout' => 1440)
);
$token->setSalt($config->csrf->salt)
->addErrorMessage('The session for this form has timed out.');
$this->addElement($token);
It turns out that the issue was due to token naming. I had a standard hash element named ‘token’ that was added to all forms. I changed the code so that the token name was prepended with the form name so rather than ‘token’ they are now ‘loginformtoken’, etc.
I’m still not sure if this was due to an issue in my code due to redirects or whether ZF uses an internal ‘token’ session anywhere (the word token seems to be fairly heavily used in the ZF source code) that was causing a conflict.
Nevertheless, using unique hash ids seems to be the way forward and I’ll be following this standard in the future.
Edit:
This was my fault completely for not reading the manual:
I had a default salt and the same hash name so no wonder I was having problems.