Do you have to use Twig? Because I'm trying the example without Twig here, and it's not finding the token. However, when I echo $_POST, it is showing a token, eg: [_CSRF_TOKEN] => XXXXXXX= (substituting 'XXXXXXX' for the token).
In the form, I have:
$server = $_SERVER;
$csrft = new AntiCSRF($server);
$token_html = $csrft->insertToken('', true);
On the action page, I have:
$csrf = new \ParagonIE\AntiCSRF\AntiCSRF;
if (!empty($_POST)) {
if ($csrf->validateRequest()) {
echo 'Valid form';
} else {
// Log a CSRF attack attempt
echo 'Token is invalid';
}
}
... and it results in 'Token is invalid'.
I am referencing the class in both the form and the action page with:
use ParagonIE\ConstantTime\{
Base64UrlSafe,
Binary
};
use ParagonIE\AntiCSRF\AntiCSRF;
Do I need a hidden input on the form, if not using Twig? I tried;
<input type="hidden" name="form_token" value="<?php echo $token_html; ?>">
Do you have to use Twig? Because I'm trying the example without Twig here, and it's not finding the token. However, when I echo $_POST, it is showing a token, eg:
[_CSRF_TOKEN] => XXXXXXX=(substituting 'XXXXXXX' for the token).In the form, I have:
On the action page, I have:
... and it results in 'Token is invalid'.
I am referencing the class in both the form and the action page with:
Do I need a hidden input on the form, if not using Twig? I tried;
<input type="hidden" name="form_token" value="<?php echo $token_html; ?>">