Phalcon CSRF在服务器上失败
[英]Phalcon csrf fail on server
问题描述
I am using phalcon 2.0.9. 
我正在使用Phalcon 2.0.9。
I have a login form, with csrf protection. 我有一个带有csrf保护的登录表单。
This is the code in the form: 这是形式的代码:
<input type='hidden' id='token' name='{{ security.getTokenKey() }}' value='{{ security.getToken() }}' />
And this is the validation in the controller: 这是控制器中的验证:
if(!$this->security->checkToken()) {
// error code here
}
It works perfectly on localhost, butn when I upload it to the server, it always fails. 它可以在localhost上完美运行,但是当我将其上传到服务器时,它总是失败。 I use ajax in login. 我在登录时使用ajax。 After the post request, the csrf token in session is different than the token in the post. 发布请求后,会话中的csrf令牌与发布中的令牌不同。
What could cause this? 是什么原因造成的?
1 个解决方案
解决方案1
0 2016-05-31 13:13:18
Credit : Daniel @ https://forum.phalconphp.com/discussion/922/csrf-protection-not-working 图片来源:Daniel @ https://forum.phalconphp.com/discussion/922/csrf-protection-not-working
Make sure you're using the latest Phalcon version on your server as well 确保您也在服务器上使用最新的Phalcon版本
And either use the server configurations given by the users on the forum or move your notfound(404) action to a controller that doesn't include CSRF TokenKey & Key generation on it's view. 并且可以使用论坛上用户提供的服务器配置,也可以将notfound(404)操作移至视图上不包含CSRF TokenKey和Key生成的控制器。
When there's a item favion/robot.txt/img etc that is not found on the server this hits the 404 action and you end up have the CSRF tokens regenerated. 如果在服务器上找不到项目favion / robot.txt / img等,则会命中404动作,最终您会重新生成CSRF令牌。
Hope that would help. 希望对您有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.