Revision #4 has been created by yangmls on Nov 21, 2011, 12:50:31 PM with the memo:
some spell errors
« previous (#3)
Changes
Title
unchanged
How to validate CSRF token with session
Category
unchanged
How-tos
Yii version
unchanged
Tags
unchanged
CSRF, session
Content
changed
[...]
Note: When you ebable CSRF validation and use form builder to generate a form(only post), Yii will auto generate a hidden field and put it in the form, at the same time, Yii will create a cookie with CSRF token. When you submit the form, Yii will compare two CSRF tokens from post and cookie.
What Problem Will Happen
------------------
1.The user client DOES NOT accept cookie.
2.The user client CAN NOT send a request with cookie
.
For example: upload file use flash (swfupload)[...]
------------------
If user does nothing too long time, the session will be removed by session gc. In that caste, CSRF validation will raise a 400 HTTP exception.
The default session timeout in php5 is 1440(may be not exact), your can use function ini_get('session.gc_maxlifetime') to view the default timeout and use the function ini_set('session.gc_maxlifetime', $timeout) to set.
In Yii, We hava a easy way to set. Just change the session component config.[...]