Currently I try to use the CSRF Protection of the Zend Framework 2.
But everytime I send my form, I got this error message:
The form submitted did not originate from the expected site
I have implemeted the CSRF Protection in this way:
1) created a Form Class and added the csrf:
$this->add(array(
'type' => 'Zend\Form\Element\Csrf',
'name' => 'secret',
'options' => array(
'csrf_options' => array(
'timeout' => 600
)
)
));
2) echoed the csrf element in the view file:
echo $this->form()->openTag($forgotPasswordForm);
echo $this->formRow($forgotPasswordForm->get('email'));
echo $this->formRow($forgotPasswordForm->get('secret'));
echo $this->formSubmit($forgotPasswordForm->get('submit'));
echo $this->form()->closeTag($forgotPasswordForm);
I figured out that the csrf token isn't stored in the session, but why?
I had this line in my Controller:
$forgotPasswordForm = new ForgotPassword();
$forgotPasswordForm->prepare();
I moved $forgotPasswordForm->prepare() to the view file and now it works :-)
Thank you for your support!
i just use the csrf/element in the form and use the csrf/validator in my input validators. the csrf/validator must be constructed with same name as element
You can instantiate the form in the controller, or inject with DI, but $form->prepare() must be done y the view. Almost use a hidden in the view for de csrf.
I use this cheatsheet, it´s the best i found for ZF2, it almost has things for doctrine 2. http://zf2cheatsheet.com/#controller
Here´s the code i use.
<?php
// module/Album/src/Album/Form/AlbumForm.php:
namespace Album\Form;
use Zend\Form\Form;
use Zend\Form\Element;
class AlbumForm extends Form
{
public function __construct($name = null)
{
parent::__construct('album');
$this->add(array(
'name' => 'id',
'type' => 'Hidden',
));
/* not including other elements for short answer*/
**$this->add(new Element\Csrf('security'));**
$this->add(array(
'name' => 'submit',
'type' => 'Submit',
'attributes' => array(
'value' => 'Go',
'id' => 'submitbutton',
),
));
}
}
<?php
// module/Album/view/album/album/add.phtml:
$form->setAttribute('action', $this->url('album', array(
'action' => 'add' )));
**$form->prepare();**
echo $this->form()->openTag($form);
echo $this->formHidden($form->get('id'));
echo $this->formRow($form->get('title'));
echo $this->formRow($form->get('artist'));
**echo $this->formHidden($form->get('security'));**
echo $this->formSubmit($form->get('submit'));
echo $this->form()->closeTag();