CSRF Form Issue

[meccoworld]

I have been trying to set up a CSRF form with the below code but checkToken() always return false.

        if ($this->request->isPost() && $this->security->checkToken()) {
            $this->view->message = "Okay";
        }else{
            $this->view->message = "Not Okay";
        }

[noone-silent]

Do you have any Ajax requests on this page? Also check if all resources (images etc.) are loaded correctly (no HTTP Status 404). It could be that this could trigger a new request to Phalcon and generate a new Token.

[meccoworld]

Hi noone,

Thanks for the response, below is my code.

<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="robots" content="noindex">
<link rel="shortcut icon" type="image/x-icon" href="">
<?php $this->assets->outputCss(); ?>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
</head>


<form action="signup/register" method="post">
<input type="hidden" name="<?php echo $this->security->getTokenKey() ?>" value="<?php echo $this->security->getToken() ?>"/>

 public function registerAction()
    {

        if ($this->request->isPost()) {
            if ($this->security->checkToken()) {
                // The token is OK
                return "CSRF Working.";
            }else{
                return "CSRF not Working.";
            }
        }

When I check view source from the registration page, the token input name and the values gets generated, but when I submit it doesn't validate.

Thank you,
Kind regards

[noone-silent]

I mean like this:

1. open your brower
2. Press F12 or open the developer tools over the menu
3. Open the Network Tab
4. Open the Site where the bug happens
5. Look in the Network Tab if some requests fail (Status Code 404, 500 etc.)

For example the following can happen. You call an image or css or font whatever, but the resource is not found anymore and the request will be routed through the Phalcon framework. With this, a new request has been made and a new token will be generated. If you now submit the form, the token do not match anymore.

[meccoworld]

I have check everything seems to return 200, please see attachment of screenshots

[noone-silent]

Could you please check if the 2 css files have the right content? You can click them in the network tab and see the contents

[noone-silent]

And you have 7 errors in the console tab

[meccoworld]

Hello noone,
Still not working, I even comment out the CSS files and CSRF still now working.
Thank you

[noone-silent]

Do you have a running session? CSRF needs a running session where it can store the token, also try to log every call in the index.php then you will see if the script gets called from somewhere else.

[meccoworld]

I’m not sure how I can do that.

But I’m sure the csrf input name and values were generated from session so I would say I have a session running but not sure about where it can store token.

Thanks

[noone-silent]

You can check if the session is started. See https://docs.phalcon.io/4.0/en/session#dependency-injection

There can only be 2 problems here: Session doesn't start or save the token or another request in the background forces the Framework to generate a new Token (because every Token is only valid for 1 request).

To log every request that is happening you could do something like this in the index.php:

file_put_contents('request.log', date('Y-m-d H:i:s') . ' ' . $_SERVER['REQUEST_URI'] . \PHP_EOL, \FILE_APPEND);

create a request.log file next to the index.php and give write permissions.

Do one request and look into the request.log. If there are 2 line in this file, you know there have been another request. If there is only 1 line, then the problem would be the session.

[meccoworld]

Please kindly see the result from the above execution.

My session is started. If it is okay I don't know if we can connect for a Zoom meeting because this is really taking long for me to proceed to my next steps.

Thank you

[noone-silent]

the request log needs to be in public/index.php to track every request. Here it only tracks a call to indexAction.

Also please make sure you have an active session handler registered in your services. Please see https://docs.phalcon.io/5.0/en/session#dependency-injection and add that to your service definitions.

[meccoworld]

I noticed a change.

[meccoworld]

It working now. Thanks.

I had to use the below HTML code to prevent making additional favicon requests.

<link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon">

[noone-silent]

That's what I meant. The favicon.ico does not exist. Then it will be forwarded to the Framework and a new Token will be generated.

[meccoworld]

Thank you. I appreciate the help.

I hope you don't mind when I come back with other challenges later.

Thanks again.