Form::open() should add hidden field with csrf token if csrf_autoload = true

fuel / core

Fuel PHP Framework - The core of the Fuel v1 framework

http://fuelphp.com

813 stars 345 forks source link

Form::open() should add hidden field with csrf token if csrf_autoload = true #1171

Closed keevitaja closed 11 years ago

keevitaja commented 12 years ago

At the moment csrf_autoload in main config.php seemes to be useless, beacause you have to add the csrf token to view manually.

WanWizard commented 11 years ago

That doesn't really help much, as this config key does autoload, not autovalidate.

RamyTalal commented 11 years ago

@WanWizard An auto-validate option would be a great addition.

WanWizard commented 11 years ago

That would cause an exception where you won't be able to catch it (other then perhaps in your index.php), I'm not sure that is desirable.

WanWizard commented 11 years ago

Auto validation has been fixed in 1.6/develop, and will now throw a SecurityException if the token is missing or doesn't validate. You'll have to catch this in your index.php if you want to handle it gracefully.

Note that this requires that ALL your POST requests contain the token, both form and json posts!

WanWizard commented 11 years ago

Continue here: https://github.com/fuelphp/fieldset/issues/6