Hello. Learn something new every day. I didn't consulted the manual as the implementiation worked prior so I thought the problem must be elsewhere. Now that this issue is fixed, I thank you for your answers. :)
- Marcus Am 09.07.2010 um 13:03 schrieb Aleksey Zapparov: > Hello, > > Because it should not. :)) You have to specify a unique hash per element. > Because salt should be UNIQUE, but hardcoded :)) Else you can pass > unique salt as part of the form. In this case you'll need to extend Hash > form element and view helper to append a hidden input field with randomly > generated salt. But as far as I can see this will cause session overdosing > with redundant values. > > PS "The name of the hash element should be unique. We recommend > using the salt option for the element- two hashes with same names and > different salts would not collide." (c) Zend Framework Manual (1) > > > [1] > http://framework.zend.com/manual/en/zend.form.standardElements.html#zend.form.standardElements.hash > > > 2010/7/9 Marcus Stöhr <[email protected]>: >> Hello Aleksey. >> >> Your hint at the custom salt-name did the trick. Thank you very much. >> However, the question is still: Why does it not work out of the box? >> >> - Marcus >> >> Am 09.07.2010 um 12:00 schrieb Aleksey Zapparov: >> >>> The problem is that Zend_Form_Element_Hash use session >>> namespace of form: >>> >>> %CLASSNAME%_%SALT%_%ELEMENTNAME% >>> >>> %CLASSNAME% is Zend_Form_Element_Hash, and >>> %SALT% be default is salt, and %ELEMENTNAME% is >>> whatever yiu specify, as I guess you specify same element >>> name (wich is quite normal), so namespace you receive is >>> >>> Zend_Form_Element_Hash_salt_csrf >>> >>> Now, what you can do is either specify your own Zend_Session >>> object: >>> >>> $csrf->setSession($myVeryOwnSessionObject); >>> >>> Or (which in this case is much better solution) to specify very >>> own salt: >>> >>> $csrf->setSalt('my_very_own_salt'); >>> >>> or passing it as an option 'salt' upon element constructor like this: >>> https://gist.github.com/bab9e79ec74b0dbb1aea >>> >>> >>> 2010/7/9 Marcus Stöhr <[email protected]>: >>>> Hello. >>>> >>>> After some more investigation I found out that the hash provided in my >>>> form is not the one stored in the session so it's normal that the >>>> validation fails. However, the question now is why is another hash in my >>>> form rather the correct one from the session? >>>> I print out the CSFR-hash using <?php echo >>>> $this->form->getElement('csrf'); ?> to customize my form. Any hints about >>>> fixing this issue? >>>> >>>> - Marcus >>>> >>>> Am 08.07.2010 um 09:30 schrieb Marcus Stöhr: >>>> >>>>> Hi Chris. >>>>> >>>>> Nope, didn't work. I still get 'The two given tokens do not match' for >>>>> the Hash-element. >>>>> >>>>> - Marcus >>>>> >>>>> Am 08.07.2010 um 09:28 schrieb Chris Riesen: >>>>> >>>>>> On Register_Controller.php here >>>>>> https://gist.github.com/c66b22f11bbe138df6ad delete or comment out >>>>>> lines 22 and 23 then retry. I think that might be the problem there. >>>>>> >>>>>> On Thu, Jul 8, 2010 at 9:18 AM, Marcus Stöhr >>>>>> <[email protected]> wrote: >>>>>>> Hi Chris. >>>>>>> >>>>>>> The only redirect action I have fires only when the form is valid and >>>>>>> the user saved in the database. Here is some sample code (I stripped >>>>>>> out some things not relevant): >>>>>>> >>>>>>> https://gist.github.com/c66b22f11bbe138df6ad >>>>>>> >>>>>>> I use the actual trunk of Zend Framework and tried also the latest >>>>>>> release 1.10.6 but the problems stays the same. >>>>>>> >>>>>>> - Marcus >>>>>>> >>>>>>> Am 07.07.2010 um 21:36 schrieb Chris Riesen: >>>>>>> >>>>>>>> It get's set and reset at every load. Are you by chance using any >>>>>>>> forwarders or redirects? It gave me the error when I sent a form, >>>>>>>> validated it and the went back with the browser button to the form >>>>>>>> again and tried sending it again (of course). Maybe you have some >>>>>>>> code? >>>>>>>> >>>>>>>> On Wed, Jul 7, 2010 at 8:22 PM, Marcus Stöhr >>>>>>>> <[email protected]> wrote: >>>>>>>>> Hello. >>>>>>>>> >>>>>>>>> I have a strange problem: I have a form where I add an >>>>>>>>> CSFR-Protection using Zend_Form_Element_Hash. >>>>>>>>> When I call the form, a new session is correctly created in the >>>>>>>>> database. But when I submit the form, I get a validation error >>>>>>>>> stating that the provided hash doesn't match the saved one. The funny >>>>>>>>> part is that this exactly form already worked and I haven't changed >>>>>>>>> anything that could cause this (well, I did not activly changed >>>>>>>>> anything). >>>>>>>>> >>>>>>>>> Any suggestions how to track down this error? >>>>>>>>> >>>>>>>>> - Marcus >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Greetings, >>>>>>>> Christian Riesen >>>>>>>> http://christianriesen.com/ - My personal page >>>>>>>> http://toreas.com/ - Toreas a free fantasy novel >>>>>>>> http://gamewiki.net/ - Open Videogames Wiki >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Greetings, >>>>>> Christian Riesen >>>>>> http://christianriesen.com/ - My personal page >>>>>> http://toreas.com/ - Toreas a free fantasy novel >>>>>> http://gamewiki.net/ - Open Videogames Wiki >>>>> >>>> >>>> >>> >>> >>> >>> -- >>> Sincerely yours, >>> Aleksey V. Zapparov A.K.A. ixti >>> FSF Member #7118 >>> Mobile Phone: +34 617 179 344 >>> Homepage: http://www.ixti.ru >>> JID: [email protected] >>> >>> *Origin: Happy Hacking! >> >> > > > > -- > Sincerely yours, > Aleksey V. Zapparov A.K.A. ixti > FSF Member #7118 > Mobile Phone: +34 617 179 344 > Homepage: http://www.ixti.ru > JID: [email protected] > > *Origin: Happy Hacking!
