Multiple Forms

[firestorm]

I've tried the token in head you suggested but no dice, get "token does not match" the problem is the token is generated on page load so will still generate in the header, back to drawing board, prob will ajaxify all pages which should resolve that, done one page with 2 forms, just have to try remember how to refresh page content without reload lol

[karsen]

Here is the code I use in my header:

Code:

// CSRF check

Code:

if (!empty($_POST)) {

Code:

$tokenPost = Input::sanitize($_POST['csrf']);

Code:

if (!Token::check($tokenPost)) {

Code:

$userPermissions->addAudit($pathToCheck); // This line goes with my custom permissions class and adds a new line to the audit table for the tomfoolery page

Code:

Redirect::to('csrf.php'); // a custom 'try again without a page refresh' notification page

Code:

die();

Code:

}

Code:

}

Code:

$token = Token::generate();

From here I use echo $token into all my page forms.

[firestorm]

argh ok, well I've created a new CSRF Protect class with session storage, i can confirm with 4 forms on a page no more "token not valid" issues, same token per session.

we drop it into classes, will need requiring from init if autoload not present.

we instantiate with:

Code:

$csrf = new CSRF_Protect();

we automatically insert hidden form field using this in the form:

Code:

<?php $csrf->echoInputField();?>

then we check its valid in our php, so after

Code:

if(!empty($_POST['copyright1'])){

we would do:

Code:

$csrf->verifyRequest();

hope thats helps some, find the class here: https://github.com/Firestorm-Graphics/CSRF-Protect

[bladerunner]

Thank you, @Firestorm, for your code in GitHub. It was impossible for me to get the Tokens work in AJAX callings. But your code works properly with AJAX.

I'm replacing the use of UserSpice Token class with your code to be able to combine AJAX and CSRF.

Thank you very much!