ZF-7238: Zend_Form_Element_Hash namespace problem

Description

I notice a difference between the namespace of a Zend_Form_Element_Hash with this two examples:

$token = new Zend_Form_Element_Hash('token'); $token->setSalt(md5(uniqid(rand(), TRUE))); $this->addElement($token);

and this one:

$this->addElement('hash', 'token', array( 'salt' => md5(uniqid(rand(), true)), ));

If a use the first one in a validation check it works fine. With the second example the validation fails. For instance in the first scenario the namescape is "Zend_Form_Element_Hash_salt_token" and in the second is "Zend_Form_Element_Hash_124b1234e34535_token". In this example if a use the validation the session name it will be always failed.

For instance a simple login system into a Controller:

public function loginAction () { $flash = $this->_helper->getHelper('flashMessenger'); if ($flash->hasMessages()) { $this->view->message = $flash->getMessages(); }

    $this->view->form = new App_Form_Login();
    $this->render('login');

}

public function submitAction () { $form = new App_Form_Login(); $request = $this->getRequest(); if (!$form->isValid($request->getPost())) { ... }

This example doesn't works because in the submitAction the instance of the object $form will have a different namespace, the token is generated each time.

My proposal is to change the getSessionName method of Zend/Form/Element/Hash.php:

public function getSessionName() { return CLASS . '' . $this->getSalt() . '' . $this->getName(); }

with this one:

public function getSessionName() { return CLASS . '_' . $this->getName(); }

What do you think?

Enrico

Comments

I think your usage is incorrect, the salt should be consistent for each request. Your method of using "md5(uniqid(rand(), TRUE))" means this will never be the case.

I agree with you, you have to be consistent with the value of the sault and, in fact, it works in the first example. The data in POST are consistent with the SESSION value so it should be works.