Difference between #3 and #4 of
How to validate CSRF token with session

Revision #4 has been created by yangmls on Nov 21, 2011, 12:50:31 PM with the memo:

some spell errors
« previous (#3)

Changes

Title unchanged

How to validate CSRF token with session

Category unchanged

How-tos

Yii version unchanged

Tags unchanged

CSRF, session

Content changed

[...]
Note: When you ebable CSRF validation and use form builder to generate a form(only post), Yii will auto generate a hidden field and put it in the form, at the same time, Yii will create a cookie with CSRF token. When you submit the form, Yii will compare two CSRF tokens from post and cookie.

What Problem Will Happen
------------------

1.The user client DOES NOT accept cookie
. 2.The user client CAN NOT send a request with cookie.
 

For example: upload file use flash (swfupload)
[...]
------------------

If user does nothing too long time, the session will be removed by session gc. In that cas
te, CSRF validation will raise a 400 HTTP exception.

The default session timeout in php5 is 1440(may be not exact), your can use function ini_get('session.gc_maxlifetime') to view the default timeout and use the function ini_set('session.gc_maxlifetime', $timeout) to set.

In Yii, We hava a easy way to set. Just change the session component config.
[...]
21 0
27 followers
Viewed: 102 520 times
Version: 1.1
Category: How-tos
Tags: CSRF, session
Written by: yangmls
Last updated by: yangmls
Created on: Nov 21, 2011
Last updated: 13 years ago
Update Article

Revisions

View all history