CSRF validation failed about vokuro HOT 7 CLOSED

I think that many Phalcon projects are having this issue and I've noticed in myself on my private project that is a distant relative of Vokuro. I'll be working with Javascript for a few months so I won't be able to test this out but its something that I know that someone will eventually have to resolve it for much of the community. It may be that Phalcon CSRF is broken or that most people are using the wrong convention that breaks under a certain edge case. For example I have noticed this issue on my development framework signin and when it goes bad then no typical refreshing will fix it but if I go to the URL bar and hit enter then it can break it out of the loop.

from vokuro.

I confirm the issue. Try to submit the same form twice (to correct some errors from first submit) and you will see the CSRF will fail.

from vokuro.

I think this can be fixed with some javascript that will update the form csrf value with the one from the cookie on submit.

from vokuro.

For anybody else reading this. I fixxed it by replacing this:

$csrf = new Hidden('csrf');
$csrf->addValidator(new Identical([
            'value' => $this->security->getSessionToken(),
            'message' => 'CSRF validation failed'
        ]));

By this

$csrf = new Hidden('csrf');
$csrf->addValidator( new Callback(
        [
            "message" => "CSRF validation failed",
            "callback" => $this->security->checkToken()
        ]));

Dont forget to include the Callback class;
use Phalcon\Validation\Validator\Callback;

from vokuro.

@emiliodeg Could you please provide a bit more info. We can't reproduce the issue.

from vokuro.

#104 Got same error today

from vokuro.

Session was not start in the case of #104. Let's close this one and let's reopen if we can reproduce this.

from vokuro.