php - CSRF Token Zend Framework and Webkit requests

翻译自：https://stackoverflow.com/questions/10427772 2012-05-03T08:33:10.230

830 次

I wrote a CSRF protection for my forms and added a hidden token. The post is send to the same action. So my formActioncode looks like this:

if($this->getRequest()->isPost()) {
    $token = $this->_getParam('token');
    if(isset($this->session->token) && 
       isset($cellarToken) && 
       $token == $this->session->token) {
         ......process form.......
    }
    else {
       error_log('possible CSRF attack');
    }
}
else {
    $this->session->token =  md5(uniqid(mt_rand(),true));
    $this->view->token = $this->session->token;
}

and in my view html I add:

<input type="hidden" value="<?= $this->token; ?>" name="token" />

This works for all major browsers but does make some problems in Webkit Browsers like Chrome, Safari. Here I get a second GET request to my contact in the background which generates a new token and thus the form is not valid....

Does anyone know where this second request is coming from? If it would be my own code there would be a second request in ALL browsers...

Regards

php - CSRF Token Zend Framework and Webkit requests

0 に答える 0

Related

Reference