CSRF element naming conflicts #4785
Comments
|
Just came yesterday over to the same problem. Suggestions for naming:
New implementation: I like the array variant because there would be only one session entry... |
|
@ThaDafinser The issue with using the form name as a prefix is that forms do not need to be named - which makes that approach unreliable. Using the CSRF token itself as part of the session key name is problematic, as the point is to look up the stored token for the given element. If we already know the token, we're likely not secure. The approach of having an array of all CSRF tokens for the user is possible, but would break all existing CSRF tokens currently active at the time somebody upgrades their ZF2 codebase. I think this comes down to a documentation issue, to be honest. |
…naming - CSRF elements need to be uniquely named on the same page when multiple forms are present.
|
@weierophinney I was working on a PR at the moment, following the array approach. Should I just give up? |
|
Also note that the validation fails not only when multiple CSRF element are present in the same page, but even if two different tokens are sent each from a different request but sharing the same session (i.e. two browser tabs) |
|
@stefanotorresi The test you linked to is practically incomprehensible. If you can rewrite it to use the validation method properly, that would likely be best. |
|
Fixed with #5918. |
If you have 2 forms and each form have CSRF element called "csrf" (or any other name, they just must be the same) the validation may work wrong if you use 2 forms on same page (or if you open 2 tabs with 2 diffrent forms).
Thats happing beacause CSRF validators saves tokens in session using just elements names. I think that this must be changed or added in docs that you must use diffrent names for CSRF elements.
The text was updated successfully, but these errors were encountered: