|
Size: | 12834 |
Storage flags: | no_autoload,compress/gzip (29%) |
Zend\Form\Element\Csrf pairs with the Zend\Form\View\Helper\FormHidden to provide protection from CSRF attacks on forms, ensuring the data is submitted by the user session that generated the form and not by a rogue script. Protection is achieved by adding a hash element to a form and verifying it when the form is submitted.
Basic Usage
This element automatically adds a "type" attribute of value "hidden".
1 2 3 4 5 6 7 | use Zend\Form\Element;
use Zend\Form\Form;
$csrf = new Element\Csrf('csrf');
$form = new Form('my-form');
$form->add($csrf);
|
You can change the options of the CSRF validator using the setCsrfValidatorOptions function, or by using the "csrf_options" key. Here is an example using the array notation:
1 2 3 4 5 6 7 8 9 10 11 12 | use Zend\Form\Form;
$form = new Form('my-form');
$form->add(array(
'type' => 'Zend\Form\Element\Csrf',
'name' => 'csrf',
'options' => array(
'csrf_options' => array(
'timeout' => 600
)
)
));
|
Note
If you are using more than one form on a page, and each contains its own CSRF element, you will need to make sure that each form uniquely names its element; if you do not, it’s possible for the value of one to override the other within the server-side session storage, leading to the inability to validate one or more of the forms on your page. We suggest prefixing the element name with the form’s name or function: “login_csrf”, “registration_csrf”, etc.
Public Methods
The following methods are in addition to the inherited methods of Zend\Form\Element.
Returns a input filter specification, which includes a Zend\Filter\StringTrim filter and a Zend\Validator\Csrf to validate the CSRF value.
Return type: | array |
---|
Set the options that are used by the CSRF validator.
Get the options that are used by the CSRF validator.
Return type: | array |
---|
Override the default CSRF validator by setting another one.
Get the CSRF validator.
Return type: | ZendValidatorCsrf |
---|
The source code of this file is hosted on GitHub. Everyone can update and fix errors in this document with few clicks - no downloads needed.