Package Home

Zend Framework 2 Documentation (Manual)

PHK Home

File: /modules/zend.form.element.csrf.html

Size:12834
Storage flags:no_autoload,compress/gzip (29%)
Csrf — Zend Framework 2 2.4.2 documentation

Navigation

CsrfΒΆ

Zend\Form\Element\Csrf pairs with the Zend\Form\View\Helper\FormHidden to provide protection from CSRF attacks on forms, ensuring the data is submitted by the user session that generated the form and not by a rogue script. Protection is achieved by adding a hash element to a form and verifying it when the form is submitted.

Basic Usage

This element automatically adds a "type" attribute of value "hidden".

1
2
3
4
5
6
7
use Zend\Form\Element;
use Zend\Form\Form;

$csrf = new Element\Csrf('csrf');

$form = new Form('my-form');
$form->add($csrf);

You can change the options of the CSRF validator using the setCsrfValidatorOptions function, or by using the "csrf_options" key. Here is an example using the array notation:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
 use Zend\Form\Form;

 $form = new Form('my-form');
 $form->add(array(
     'type' => 'Zend\Form\Element\Csrf',
     'name' => 'csrf',
     'options' => array(
             'csrf_options' => array(
                     'timeout' => 600
             )
     )
 ));

Note

If you are using more than one form on a page, and each contains its own CSRF element, you will need to make sure that each form uniquely names its element; if you do not, it’s possible for the value of one to override the other within the server-side session storage, leading to the inability to validate one or more of the forms on your page. We suggest prefixing the element name with the form’s name or function: “login_csrf”, “registration_csrf”, etc.

Public Methods

The following methods are in addition to the inherited methods of Zend\Form\Element.

getInputSpecification()

Returns a input filter specification, which includes a Zend\Filter\StringTrim filter and a Zend\Validator\Csrf to validate the CSRF value.

Return type:array
setCsrfValidatorOptions(array $options)

Set the options that are used by the CSRF validator.

getCsrfValidatorOptions()

Get the options that are used by the CSRF validator.

Return type:array
setCsrfValidator(ZendValidatorCsrf $validator)

Override the default CSRF validator by setting another one.

getCsrfValidator()

Get the CSRF validator.

Return type:ZendValidatorCsrf

This Page

Note: You need to stay logged into your GitHub account to contribute to the documentation.

Navigation

© Copyright 2015, Zend Technologies Ltd.. Created using Sphinx 1.2.2.
Edit this document

Edit this document

The source code of this file is hosted on GitHub. Everyone can update and fix errors in this document with few clicks - no downloads needed.

  1. Login with your GitHub account.
  2. Go to Csrf on GitHub.
  3. Edit file contents using GitHub's text editor in your web browser
  4. Fill in the Commit message text box at the end of the page telling why you did the changes. Press Propose file change button next to it when done.
  5. On Send a pull request page you don't need to fill in text anymore. Just press Send pull request button.
  6. Your changes are now queued for review under project's Pull requests tab on GitHub.
For more information about the PHK package format: http://phk.tekwire.net