Home/ Questions/Q 676597
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T00:56:45+00:00

i saw a example for login form same blow code class Form_Login extends Zend_Form

  • 0

i saw a example for login form same blow code

class Form_Login extends Zend_Form {
    //put your code here
    public function init($timeout=360){

        $this->addElement('hash', 'token', array(
             'timeout' => $timeout
        ));
        $this->setName('Login');
       $username = $this->createElement ( 'text', 'username' );
        $username->setLabel('user name:')
                ->setRequired();
                $this->addElement($username);
        $password=$this->createElement('password','password');
        $password->setLabel('password:');
        $password->setRequired();
        $this->addElement($password);
        $login=$this->createElement('submit','login');
        $login->setLabel('Login');
        $this->addElement($login);

        $this->setMethod('post');
        $this->setAction(Zend_Controller_Front::getInstance()->getBaseUrl().'/authentication/login');

    }
}

and in submitAction

a part code same below

if (!$form->isValid($request->getPost())) {
            if (count($form->getErrors('token')) > 0) {
                return $this->_forward('csrf-forbidden', 'error');
            }    
            $this->view->form = $form;
            return $this->render('login');
        }

now , my question, whats the reason for use of hash element?
how this hash element make secure login?

anybody may help explain these?

thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Wikipedia has a page on it (Cross Site Request Forgery). Just to pick up on your wording of the question. It doesn’t make it secure, it just protects against a type of attack.

    In short, someone can change the state on the server without the user having to visit the page by getting the browser to load a Url (Either in a hidden frame or with a image tag) without the users knowledge.

    In this case it is protecting against Login CSRF. An example would be that you could log a victim into a custom google account. Then when they searched using this account you would have access to their search history.

    The flaw in both of these methods is they have no way to access the page the actual form is on. The protection is to therefore assign a hash to the user to ensure they visit the login page and submit the correct hash along with other values.

    An arguably better way to defend against login CSRF is to check the Referer header and reject it if it isn’t correct or isn’t present.

    • 0