Documentation

Csrf — Zend Framework 2 2.4.9 documentation

Csrf

Zend\Form\Element\Csrf pairs with the Zend\Form\View\Helper\FormHidden to provide protection from CSRF attacks on forms, ensuring the data is submitted by the user session that generated the form and not by a rogue script. Protection is achieved by adding a hash element to a form and verifying it when the form is submitted.

Basic Usage

This element automatically adds a "type" attribute of value "hidden".

1
2
3
4
5
6
7
use Zend\Form\Element;
use Zend\Form\Form;

$csrf = new Element\Csrf('csrf');

$form = new Form('my-form');
$form->add($csrf);

You can change the options of the CSRF validator using the setCsrfValidatorOptions function, or by using the "csrf_options" key. Here is an example using the array notation:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
 use Zend\Form\Form;

 $form = new Form('my-form');
 $form->add(array(
     'type' => 'Zend\Form\Element\Csrf',
     'name' => 'csrf',
     'options' => array(
             'csrf_options' => array(
                     'timeout' => 600
             )
     )
 ));

Note

If you are using more than one form on a page, and each contains its own CSRF element, you will need to make sure that each form uniquely names its element; if you do not, it’s possible for the value of one to override the other within the server-side session storage, leading to the inability to validate one or more of the forms on your page. We suggest prefixing the element name with the form’s name or function: “login_csrf”, “registration_csrf”, etc.

Public Methods

The following methods are in addition to the inherited methods of Zend\Form\Element.

getInputSpecification()

Returns a input filter specification, which includes a Zend\Filter\StringTrim filter and a Zend\Validator\Csrf to validate the CSRF value.

Return type:array
setCsrfValidatorOptions(array $options)

Set the options that are used by the CSRF validator.

getCsrfValidatorOptions()

Get the options that are used by the CSRF validator.

Return type:array
setCsrfValidator(ZendValidatorCsrf $validator)

Override the default CSRF validator by setting another one.

getCsrfValidator()

Get the CSRF validator.

Return type:ZendValidatorCsrf

Copyright

© 2006-2019 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts