Problems with Zend_Form_Element_Hash

> It get's set and reset at every load. Are you by chance using any
> forwarders or redirects? It gave me the error when I sent a form,
> validated it and the went back with the browser button to the form
> again and tried sending it again (of course). Maybe you have some
> code?
>
> On Wed, Jul 7, 2010 at 8:22 PM, Marcus Stöhr <[hidden email]> wrote:
>> Hello.
>>
>> I have a strange problem: I have a form where I add an CSFR-Protection using Zend_Form_Element_Hash.
>> When I call the form, a new session is correctly created in the database. But when I submit the form, I get a validation error stating that the provided hash doesn't match the saved one. The funny part is that this exactly form already worked and I haven't changed anything that could cause this (well, I did not activly changed anything).
>>
>> Any suggestions how to track down this error?
>>
>> - Marcus
>
>
>
> --
> Greetings,
> Christian Riesen
> http://christianriesen.com/ - My personal page
> http://toreas.com/ - Toreas a free fantasy novel
> http://gamewiki.net/ - Open Videogames Wiki

> Hi Chris.
>
> The only redirect action I have fires only when the form is valid and the user saved in the database. Here is some sample code (I stripped out some things not relevant):
>
> https://gist.github.com/c66b22f11bbe138df6ad
>
> I use the actual trunk of Zend Framework and tried also the latest release 1.10.6 but the problems stays the same.
>
> - Marcus
>
> Am 07.07.2010 um 21:36 schrieb Chris Riesen:
>
>> It get's set and reset at every load. Are you by chance using any
>> forwarders or redirects? It gave me the error when I sent a form,
>> validated it and the went back with the browser button to the form
>> again and tried sending it again (of course). Maybe you have some
>> code?
>>
>> On Wed, Jul 7, 2010 at 8:22 PM, Marcus Stöhr <[hidden email]> wrote:
>>> Hello.
>>>
>>> I have a strange problem: I have a form where I add an CSFR-Protection using Zend_Form_Element_Hash.
>>> When I call the form, a new session is correctly created in the database. But when I submit the form, I get a validation error stating that the provided hash doesn't match the saved one. The funny part is that this exactly form already worked and I haven't changed anything that could cause this (well, I did not activly changed anything).
>>>
>>> Any suggestions how to track down this error?
>>>
>>> - Marcus
>>
>>
>>
>> --
>> Greetings,
>> Christian Riesen
>> http://christianriesen.com/ - My personal page
>> http://toreas.com/ - Toreas a free fantasy novel
>> http://gamewiki.net/ - Open Videogames Wiki
>
>

> On Register_Controller.php here
> https://gist.github.com/c66b22f11bbe138df6ad delete or comment out
> lines 22 and 23 then retry. I think that might be the problem there.
>
> On Thu, Jul 8, 2010 at 9:18 AM, Marcus Stöhr <[hidden email]> wrote:
>> Hi Chris.
>>
>> The only redirect action I have fires only when the form is valid and the user saved in the database. Here is some sample code (I stripped out some things not relevant):
>>
>> https://gist.github.com/c66b22f11bbe138df6ad
>>
>> I use the actual trunk of Zend Framework and tried also the latest release 1.10.6 but the problems stays the same.
>>
>> - Marcus
>>
>> Am 07.07.2010 um 21:36 schrieb Chris Riesen:
>>
>>> It get's set and reset at every load. Are you by chance using any
>>> forwarders or redirects? It gave me the error when I sent a form,
>>> validated it and the went back with the browser button to the form
>>> again and tried sending it again (of course). Maybe you have some
>>> code?
>>>
>>> On Wed, Jul 7, 2010 at 8:22 PM, Marcus Stöhr <[hidden email]> wrote:
>>>> Hello.
>>>>
>>>> I have a strange problem: I have a form where I add an CSFR-Protection using Zend_Form_Element_Hash.
>>>> When I call the form, a new session is correctly created in the database. But when I submit the form, I get a validation error stating that the provided hash doesn't match the saved one. The funny part is that this exactly form already worked and I haven't changed anything that could cause this (well, I did not activly changed anything).
>>>>
>>>> Any suggestions how to track down this error?
>>>>
>>>> - Marcus
>>>
>>>
>>>
>>> --
>>> Greetings,
>>> Christian Riesen
>>> http://christianriesen.com/ - My personal page
>>> http://toreas.com/ - Toreas a free fantasy novel
>>> http://gamewiki.net/ - Open Videogames Wiki
>>
>>
>
>
>
> --
> Greetings,
> Christian Riesen
> http://christianriesen.com/ - My personal page
> http://toreas.com/ - Toreas a free fantasy novel
> http://gamewiki.net/ - Open Videogames Wiki

> Hi Chris.
>
> Nope, didn't work. I still get 'The two given tokens do not match' for the Hash-element.
>
> - Marcus
>
> Am 08.07.2010 um 09:28 schrieb Chris Riesen:
>
>> On Register_Controller.php here
>> https://gist.github.com/c66b22f11bbe138df6ad delete or comment out
>> lines 22 and 23 then retry. I think that might be the problem there.
>>
>> On Thu, Jul 8, 2010 at 9:18 AM, Marcus Stöhr <[hidden email]> wrote:
>>> Hi Chris.
>>>
>>> The only redirect action I have fires only when the form is valid and the user saved in the database. Here is some sample code (I stripped out some things not relevant):
>>>
>>> https://gist.github.com/c66b22f11bbe138df6ad
>>>
>>> I use the actual trunk of Zend Framework and tried also the latest release 1.10.6 but the problems stays the same.
>>>
>>> - Marcus
>>>
>>> Am 07.07.2010 um 21:36 schrieb Chris Riesen:
>>>
>>>> It get's set and reset at every load. Are you by chance using any
>>>> forwarders or redirects? It gave me the error when I sent a form,
>>>> validated it and the went back with the browser button to the form
>>>> again and tried sending it again (of course). Maybe you have some
>>>> code?
>>>>
>>>> On Wed, Jul 7, 2010 at 8:22 PM, Marcus Stöhr <[hidden email]> wrote:
>>>>> Hello.
>>>>>
>>>>> I have a strange problem: I have a form where I add an CSFR-Protection using Zend_Form_Element_Hash.
>>>>> When I call the form, a new session is correctly created in the database. But when I submit the form, I get a validation error stating that the provided hash doesn't match the saved one. The funny part is that this exactly form already worked and I haven't changed anything that could cause this (well, I did not activly changed anything).
>>>>>
>>>>> Any suggestions how to track down this error?
>>>>>
>>>>> - Marcus
>>>>
>>>>
>>>>
>>>> --
>>>> Greetings,
>>>> Christian Riesen
>>>> http://christianriesen.com/ - My personal page
>>>> http://toreas.com/ - Toreas a free fantasy novel
>>>> http://gamewiki.net/ - Open Videogames Wiki
>>>
>>>
>>
>>
>>
>> --
>> Greetings,
>> Christian Riesen
>> http://christianriesen.com/ - My personal page
>> http://toreas.com/ - Toreas a free fantasy novel
>> http://gamewiki.net/ - Open Videogames Wiki
>

> Hello.
>
> After some more investigation I found out that the hash provided in my form is not the one stored in the session so it's normal that the validation fails. However, the question now is why is another hash in my form rather the correct one from the session?
> I print out the CSFR-hash using <?php echo $this->form->getElement('csrf'); ?> to customize my form. Any hints about fixing this issue?
>
> - Marcus
>
> Am 08.07.2010 um 09:30 schrieb Marcus Stöhr:
>
>> Hi Chris.
>>
>> Nope, didn't work. I still get 'The two given tokens do not match' for the Hash-element.
>>
>> - Marcus
>>
>> Am 08.07.2010 um 09:28 schrieb Chris Riesen:
>>
>>> On Register_Controller.php here
>>> https://gist.github.com/c66b22f11bbe138df6ad delete or comment out
>>> lines 22 and 23 then retry. I think that might be the problem there.
>>>
>>> On Thu, Jul 8, 2010 at 9:18 AM, Marcus Stöhr <[hidden email]> wrote:
>>>> Hi Chris.
>>>>
>>>> The only redirect action I have fires only when the form is valid and the user saved in the database. Here is some sample code (I stripped out some things not relevant):
>>>>
>>>> https://gist.github.com/c66b22f11bbe138df6ad
>>>>
>>>> I use the actual trunk of Zend Framework and tried also the latest release 1.10.6 but the problems stays the same.
>>>>
>>>> - Marcus
>>>>
>>>> Am 07.07.2010 um 21:36 schrieb Chris Riesen:
>>>>
>>>>> It get's set and reset at every load. Are you by chance using any
>>>>> forwarders or redirects? It gave me the error when I sent a form,
>>>>> validated it and the went back with the browser button to the form
>>>>> again and tried sending it again (of course). Maybe you have some
>>>>> code?
>>>>>
>>>>> On Wed, Jul 7, 2010 at 8:22 PM, Marcus Stöhr <[hidden email]> wrote:
>>>>>> Hello.
>>>>>>
>>>>>> I have a strange problem: I have a form where I add an CSFR-Protection using Zend_Form_Element_Hash.
>>>>>> When I call the form, a new session is correctly created in the database. But when I submit the form, I get a validation error stating that the provided hash doesn't match the saved one. The funny part is that this exactly form already worked and I haven't changed anything that could cause this (well, I did not activly changed anything).
>>>>>>
>>>>>> Any suggestions how to track down this error?
>>>>>>
>>>>>> - Marcus
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Greetings,
>>>>> Christian Riesen
>>>>> http://christianriesen.com/ - My personal page
>>>>> http://toreas.com/ - Toreas a free fantasy novel
>>>>> http://gamewiki.net/ - Open Videogames Wiki
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Greetings,
>>> Christian Riesen
>>> http://christianriesen.com/ - My personal page
>>> http://toreas.com/ - Toreas a free fantasy novel
>>> http://gamewiki.net/ - Open Videogames Wiki
>>
>
>

> The problem is that Zend_Form_Element_Hash use session
> namespace of form:
>
> %CLASSNAME%_%SALT%_%ELEMENTNAME%
>
> %CLASSNAME% is Zend_Form_Element_Hash, and
> %SALT% be default is salt, and %ELEMENTNAME% is
> whatever yiu specify, as I guess you specify same element
> name (wich is quite normal), so namespace you receive is
>
> Zend_Form_Element_Hash_salt_csrf
>
> Now, what you can do is either specify your own Zend_Session
> object:
>
> $csrf->setSession($myVeryOwnSessionObject);
>
> Or (which in this case is much better solution) to specify very
> own salt:
>
> $csrf->setSalt('my_very_own_salt');
>
> or passing it as an option 'salt' upon element constructor like this:
> https://gist.github.com/bab9e79ec74b0dbb1aea
>
>
> 2010/7/9 Marcus Stöhr <[hidden email]>:
>> Hello.
>>
>> After some more investigation I found out that the hash provided in my form is not the one stored in the session so it's normal that the validation fails. However, the question now is why is another hash in my form rather the correct one from the session?
>> I print out the CSFR-hash using <?php echo $this->form->getElement('csrf'); ?> to customize my form. Any hints about fixing this issue?
>>
>> - Marcus
>>
>> Am 08.07.2010 um 09:30 schrieb Marcus Stöhr:
>>
>>> Hi Chris.
>>>
>>> Nope, didn't work. I still get 'The two given tokens do not match' for the Hash-element.
>>>
>>> - Marcus
>>>
>>> Am 08.07.2010 um 09:28 schrieb Chris Riesen:
>>>
>>>> On Register_Controller.php here
>>>> https://gist.github.com/c66b22f11bbe138df6ad delete or comment out
>>>> lines 22 and 23 then retry. I think that might be the problem there.
>>>>
>>>> On Thu, Jul 8, 2010 at 9:18 AM, Marcus Stöhr <[hidden email]> wrote:
>>>>> Hi Chris.
>>>>>
>>>>> The only redirect action I have fires only when the form is valid and the user saved in the database. Here is some sample code (I stripped out some things not relevant):
>>>>>
>>>>> https://gist.github.com/c66b22f11bbe138df6ad
>>>>>
>>>>> I use the actual trunk of Zend Framework and tried also the latest release 1.10.6 but the problems stays the same.
>>>>>
>>>>> - Marcus
>>>>>
>>>>> Am 07.07.2010 um 21:36 schrieb Chris Riesen:
>>>>>
>>>>>> It get's set and reset at every load. Are you by chance using any
>>>>>> forwarders or redirects? It gave me the error when I sent a form,
>>>>>> validated it and the went back with the browser button to the form
>>>>>> again and tried sending it again (of course). Maybe you have some
>>>>>> code?
>>>>>>
>>>>>> On Wed, Jul 7, 2010 at 8:22 PM, Marcus Stöhr <[hidden email]> wrote:
>>>>>>> Hello.
>>>>>>>
>>>>>>> I have a strange problem: I have a form where I add an CSFR-Protection using Zend_Form_Element_Hash.
>>>>>>> When I call the form, a new session is correctly created in the database. But when I submit the form, I get a validation error stating that the provided hash doesn't match the saved one. The funny part is that this exactly form already worked and I haven't changed anything that could cause this (well, I did not activly changed anything).
>>>>>>>
>>>>>>> Any suggestions how to track down this error?
>>>>>>>
>>>>>>> - Marcus
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Greetings,
>>>>>> Christian Riesen
>>>>>> http://christianriesen.com/ - My personal page
>>>>>> http://toreas.com/ - Toreas a free fantasy novel
>>>>>> http://gamewiki.net/ - Open Videogames Wiki
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Greetings,
>>>> Christian Riesen
>>>> http://christianriesen.com/ - My personal page
>>>> http://toreas.com/ - Toreas a free fantasy novel
>>>> http://gamewiki.net/ - Open Videogames Wiki
>>>
>>
>>
>
>
>
> --
> Sincerely yours,
> Aleksey V. Zapparov A.K.A. ixti
> FSF Member #7118
> Mobile Phone: +34 617 179 344
> Homepage: http://www.ixti.ru
> JID: [hidden email]
>
> *Origin: Happy Hacking!

> Hello Aleksey.
>
> Your hint at the custom salt-name did the trick. Thank you very much.
> However, the question is still: Why does it not work out of the box?
>
> - Marcus
>
> Am 09.07.2010 um 12:00 schrieb Aleksey Zapparov:
>
>> The problem is that Zend_Form_Element_Hash use session
>> namespace of form:
>>
>> %CLASSNAME%_%SALT%_%ELEMENTNAME%
>>
>> %CLASSNAME% is Zend_Form_Element_Hash, and
>> %SALT% be default is salt, and %ELEMENTNAME% is
>> whatever yiu specify, as I guess you specify same element
>> name (wich is quite normal), so namespace you receive is
>>
>> Zend_Form_Element_Hash_salt_csrf
>>
>> Now, what you can do is either specify your own Zend_Session
>> object:
>>
>> $csrf->setSession($myVeryOwnSessionObject);
>>
>> Or (which in this case is much better solution) to specify very
>> own salt:
>>
>> $csrf->setSalt('my_very_own_salt');
>>
>> or passing it as an option 'salt' upon element constructor like this:
>> https://gist.github.com/bab9e79ec74b0dbb1aea
>>
>>
>> 2010/7/9 Marcus Stöhr <[hidden email]>:
>>> Hello.
>>>
>>> After some more investigation I found out that the hash provided in my form is not the one stored in the session so it's normal that the validation fails. However, the question now is why is another hash in my form rather the correct one from the session?
>>> I print out the CSFR-hash using <?php echo $this->form->getElement('csrf'); ?> to customize my form. Any hints about fixing this issue?
>>>
>>> - Marcus
>>>
>>> Am 08.07.2010 um 09:30 schrieb Marcus Stöhr:
>>>
>>>> Hi Chris.
>>>>
>>>> Nope, didn't work. I still get 'The two given tokens do not match' for the Hash-element.
>>>>
>>>> - Marcus
>>>>
>>>> Am 08.07.2010 um 09:28 schrieb Chris Riesen:
>>>>
>>>>> On Register_Controller.php here
>>>>> https://gist.github.com/c66b22f11bbe138df6ad delete or comment out
>>>>> lines 22 and 23 then retry. I think that might be the problem there.
>>>>>
>>>>> On Thu, Jul 8, 2010 at 9:18 AM, Marcus Stöhr <[hidden email]> wrote:
>>>>>> Hi Chris.
>>>>>>
>>>>>> The only redirect action I have fires only when the form is valid and the user saved in the database. Here is some sample code (I stripped out some things not relevant):
>>>>>>
>>>>>> https://gist.github.com/c66b22f11bbe138df6ad
>>>>>>
>>>>>> I use the actual trunk of Zend Framework and tried also the latest release 1.10.6 but the problems stays the same.
>>>>>>
>>>>>> - Marcus
>>>>>>
>>>>>> Am 07.07.2010 um 21:36 schrieb Chris Riesen:
>>>>>>
>>>>>>> It get's set and reset at every load. Are you by chance using any
>>>>>>> forwarders or redirects? It gave me the error when I sent a form,
>>>>>>> validated it and the went back with the browser button to the form
>>>>>>> again and tried sending it again (of course). Maybe you have some
>>>>>>> code?
>>>>>>>
>>>>>>> On Wed, Jul 7, 2010 at 8:22 PM, Marcus Stöhr <[hidden email]> wrote:
>>>>>>>> Hello.
>>>>>>>>
>>>>>>>> I have a strange problem: I have a form where I add an CSFR-Protection using Zend_Form_Element_Hash.
>>>>>>>> When I call the form, a new session is correctly created in the database. But when I submit the form, I get a validation error stating that the provided hash doesn't match the saved one. The funny part is that this exactly form already worked and I haven't changed anything that could cause this (well, I did not activly changed anything).
>>>>>>>>
>>>>>>>> Any suggestions how to track down this error?
>>>>>>>>
>>>>>>>> - Marcus
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Greetings,
>>>>>>> Christian Riesen
>>>>>>> http://christianriesen.com/ - My personal page
>>>>>>> http://toreas.com/ - Toreas a free fantasy novel
>>>>>>> http://gamewiki.net/ - Open Videogames Wiki
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Greetings,
>>>>> Christian Riesen
>>>>> http://christianriesen.com/ - My personal page
>>>>> http://toreas.com/ - Toreas a free fantasy novel
>>>>> http://gamewiki.net/ - Open Videogames Wiki
>>>>
>>>
>>>
>>
>>
>>
>> --
>> Sincerely yours,
>> Aleksey V. Zapparov A.K.A. ixti
>> FSF Member #7118
>> Mobile Phone: +34 617 179 344
>> Homepage: http://www.ixti.ru
>> JID: [hidden email]
>>
>> *Origin: Happy Hacking!
>
>

> Hello,
>
> Because it should not. :)) You have to specify a unique hash per element.
> Because salt should be UNIQUE, but hardcoded :)) Else you can pass
> unique salt as part of the form. In this case you'll need to extend Hash
> form element and view helper to append a hidden input field with randomly
> generated salt. But as far as I can see this will cause session overdosing
> with redundant values.
>
> PS "The name of the hash element should be unique. We recommend
> using the salt option for the element- two hashes with same names and
> different salts would not collide." (c) Zend Framework Manual (1)
>
>
> [1] http://framework.zend.com/manual/en/zend.form.standardElements.html#zend.form.standardElements.hash
>
>
> 2010/7/9 Marcus Stöhr <[hidden email]>:
>> Hello Aleksey.
>>
>> Your hint at the custom salt-name did the trick. Thank you very much.
>> However, the question is still: Why does it not work out of the box?
>>
>> - Marcus
>>
>> Am 09.07.2010 um 12:00 schrieb Aleksey Zapparov:
>>
>>> The problem is that Zend_Form_Element_Hash use session
>>> namespace of form:
>>>
>>> %CLASSNAME%_%SALT%_%ELEMENTNAME%
>>>
>>> %CLASSNAME% is Zend_Form_Element_Hash, and
>>> %SALT% be default is salt, and %ELEMENTNAME% is
>>> whatever yiu specify, as I guess you specify same element
>>> name (wich is quite normal), so namespace you receive is
>>>
>>> Zend_Form_Element_Hash_salt_csrf
>>>
>>> Now, what you can do is either specify your own Zend_Session
>>> object:
>>>
>>> $csrf->setSession($myVeryOwnSessionObject);
>>>
>>> Or (which in this case is much better solution) to specify very
>>> own salt:
>>>
>>> $csrf->setSalt('my_very_own_salt');
>>>
>>> or passing it as an option 'salt' upon element constructor like this:
>>> https://gist.github.com/bab9e79ec74b0dbb1aea
>>>
>>>
>>> 2010/7/9 Marcus Stöhr <[hidden email]>:
>>>> Hello.
>>>>
>>>> After some more investigation I found out that the hash provided in my form is not the one stored in the session so it's normal that the validation fails. However, the question now is why is another hash in my form rather the correct one from the session?
>>>> I print out the CSFR-hash using <?php echo $this->form->getElement('csrf'); ?> to customize my form. Any hints about fixing this issue?
>>>>
>>>> - Marcus
>>>>
>>>> Am 08.07.2010 um 09:30 schrieb Marcus Stöhr:
>>>>
>>>>> Hi Chris.
>>>>>
>>>>> Nope, didn't work. I still get 'The two given tokens do not match' for the Hash-element.
>>>>>
>>>>> - Marcus
>>>>>
>>>>> Am 08.07.2010 um 09:28 schrieb Chris Riesen:
>>>>>
>>>>>> On Register_Controller.php here
>>>>>> https://gist.github.com/c66b22f11bbe138df6ad delete or comment out
>>>>>> lines 22 and 23 then retry. I think that might be the problem there.
>>>>>>
>>>>>> On Thu, Jul 8, 2010 at 9:18 AM, Marcus Stöhr <[hidden email]> wrote:
>>>>>>> Hi Chris.
>>>>>>>
>>>>>>> The only redirect action I have fires only when the form is valid and the user saved in the database. Here is some sample code (I stripped out some things not relevant):
>>>>>>>
>>>>>>> https://gist.github.com/c66b22f11bbe138df6ad
>>>>>>>
>>>>>>> I use the actual trunk of Zend Framework and tried also the latest release 1.10.6 but the problems stays the same.
>>>>>>>
>>>>>>> - Marcus
>>>>>>>
>>>>>>> Am 07.07.2010 um 21:36 schrieb Chris Riesen:
>>>>>>>
>>>>>>>> It get's set and reset at every load. Are you by chance using any
>>>>>>>> forwarders or redirects? It gave me the error when I sent a form,
>>>>>>>> validated it and the went back with the browser button to the form
>>>>>>>> again and tried sending it again (of course). Maybe you have some
>>>>>>>> code?
>>>>>>>>
>>>>>>>> On Wed, Jul 7, 2010 at 8:22 PM, Marcus Stöhr <[hidden email]> wrote:
>>>>>>>>> Hello.
>>>>>>>>>
>>>>>>>>> I have a strange problem: I have a form where I add an CSFR-Protection using Zend_Form_Element_Hash.
>>>>>>>>> When I call the form, a new session is correctly created in the database. But when I submit the form, I get a validation error stating that the provided hash doesn't match the saved one. The funny part is that this exactly form already worked and I haven't changed anything that could cause this (well, I did not activly changed anything).
>>>>>>>>>
>>>>>>>>> Any suggestions how to track down this error?
>>>>>>>>>
>>>>>>>>> - Marcus
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Greetings,
>>>>>>>> Christian Riesen
>>>>>>>> http://christianriesen.com/ - My personal page
>>>>>>>> http://toreas.com/ - Toreas a free fantasy novel
>>>>>>>> http://gamewiki.net/ - Open Videogames Wiki
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Greetings,
>>>>>> Christian Riesen
>>>>>> http://christianriesen.com/ - My personal page
>>>>>> http://toreas.com/ - Toreas a free fantasy novel
>>>>>> http://gamewiki.net/ - Open Videogames Wiki
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Sincerely yours,
>>> Aleksey V. Zapparov A.K.A. ixti
>>> FSF Member #7118
>>> Mobile Phone: +34 617 179 344
>>> Homepage: http://www.ixti.ru
>>> JID: [hidden email]
>>>
>>> *Origin: Happy Hacking!
>>
>>
>
>
>
> --
> Sincerely yours,
> Aleksey V. Zapparov A.K.A. ixti
> FSF Member #7118
> Mobile Phone: +34 617 179 344
> Homepage: http://www.ixti.ru
> JID: [hidden email]
>
> *Origin: Happy Hacking!

> Hello.
>
> Learn something new every day. I didn't consulted the manual as the implementiation worked prior so I thought the problem must be elsewhere.
> Now that this issue is fixed, I thank you for your answers. :)
>
> - Marcus
>
> Am 09.07.2010 um 13:03 schrieb Aleksey Zapparov:
>
>> Hello,
>>
>> Because it should not. :)) You have to specify a unique hash per element.
>> Because salt should be UNIQUE, but hardcoded :)) Else you can pass
>> unique salt as part of the form. In this case you'll need to extend Hash
>> form element and view helper to append a hidden input field with randomly
>> generated salt. But as far as I can see this will cause session overdosing
>> with redundant values.
>>
>> PS "The name of the hash element should be unique. We recommend
>> using the salt option for the element- two hashes with same names and
>> different salts would not collide." (c) Zend Framework Manual (1)
>>
>>
>> [1] http://framework.zend.com/manual/en/zend.form.standardElements.html#zend.form.standardElements.hash
>>
>>
>> 2010/7/9 Marcus Stöhr <[hidden email]>:
>>> Hello Aleksey.
>>>
>>> Your hint at the custom salt-name did the trick. Thank you very much.
>>> However, the question is still: Why does it not work out of the box?
>>>
>>> - Marcus
>>>
>>> Am 09.07.2010 um 12:00 schrieb Aleksey Zapparov:
>>>
>>>> The problem is that Zend_Form_Element_Hash use session
>>>> namespace of form:
>>>>
>>>> %CLASSNAME%_%SALT%_%ELEMENTNAME%
>>>>
>>>> %CLASSNAME% is Zend_Form_Element_Hash, and
>>>> %SALT% be default is salt, and %ELEMENTNAME% is
>>>> whatever yiu specify, as I guess you specify same element
>>>> name (wich is quite normal), so namespace you receive is
>>>>
>>>> Zend_Form_Element_Hash_salt_csrf
>>>>
>>>> Now, what you can do is either specify your own Zend_Session
>>>> object:
>>>>
>>>> $csrf->setSession($myVeryOwnSessionObject);
>>>>
>>>> Or (which in this case is much better solution) to specify very
>>>> own salt:
>>>>
>>>> $csrf->setSalt('my_very_own_salt');
>>>>
>>>> or passing it as an option 'salt' upon element constructor like this:
>>>> https://gist.github.com/bab9e79ec74b0dbb1aea
>>>>
>>>>
>>>> 2010/7/9 Marcus Stöhr <[hidden email]>:
>>>>> Hello.
>>>>>
>>>>> After some more investigation I found out that the hash provided in my form is not the one stored in the session so it's normal that the validation fails. However, the question now is why is another hash in my form rather the correct one from the session?
>>>>> I print out the CSFR-hash using <?php echo $this->form->getElement('csrf'); ?> to customize my form. Any hints about fixing this issue?
>>>>>
>>>>> - Marcus
>>>>>
>>>>> Am 08.07.2010 um 09:30 schrieb Marcus Stöhr:
>>>>>
>>>>>> Hi Chris.
>>>>>>
>>>>>> Nope, didn't work. I still get 'The two given tokens do not match' for the Hash-element.
>>>>>>
>>>>>> - Marcus
>>>>>>
>>>>>> Am 08.07.2010 um 09:28 schrieb Chris Riesen:
>>>>>>
>>>>>>> On Register_Controller.php here
>>>>>>> https://gist.github.com/c66b22f11bbe138df6ad delete or comment out
>>>>>>> lines 22 and 23 then retry. I think that might be the problem there.
>>>>>>>
>>>>>>> On Thu, Jul 8, 2010 at 9:18 AM, Marcus Stöhr <[hidden email]> wrote:
>>>>>>>> Hi Chris.
>>>>>>>>
>>>>>>>> The only redirect action I have fires only when the form is valid and the user saved in the database. Here is some sample code (I stripped out some things not relevant):
>>>>>>>>
>>>>>>>> https://gist.github.com/c66b22f11bbe138df6ad
>>>>>>>>
>>>>>>>> I use the actual trunk of Zend Framework and tried also the latest release 1.10.6 but the problems stays the same.
>>>>>>>>
>>>>>>>> - Marcus
>>>>>>>>
>>>>>>>> Am 07.07.2010 um 21:36 schrieb Chris Riesen:
>>>>>>>>
>>>>>>>>> It get's set and reset at every load. Are you by chance using any
>>>>>>>>> forwarders or redirects? It gave me the error when I sent a form,
>>>>>>>>> validated it and the went back with the browser button to the form
>>>>>>>>> again and tried sending it again (of course). Maybe you have some
>>>>>>>>> code?
>>>>>>>>>
>>>>>>>>> On Wed, Jul 7, 2010 at 8:22 PM, Marcus Stöhr <[hidden email]> wrote:
>>>>>>>>>> Hello.
>>>>>>>>>>
>>>>>>>>>> I have a strange problem: I have a form where I add an CSFR-Protection using Zend_Form_Element_Hash.
>>>>>>>>>> When I call the form, a new session is correctly created in the database. But when I submit the form, I get a validation error stating that the provided hash doesn't match the saved one. The funny part is that this exactly form already worked and I haven't changed anything that could cause this (well, I did not activly changed anything).
>>>>>>>>>>
>>>>>>>>>> Any suggestions how to track down this error?
>>>>>>>>>>
>>>>>>>>>> - Marcus
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Greetings,
>>>>>>>>> Christian Riesen
>>>>>>>>> http://christianriesen.com/ - My personal page
>>>>>>>>> http://toreas.com/ - Toreas a free fantasy novel
>>>>>>>>> http://gamewiki.net/ - Open Videogames Wiki
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Greetings,
>>>>>>> Christian Riesen
>>>>>>> http://christianriesen.com/ - My personal page
>>>>>>> http://toreas.com/ - Toreas a free fantasy novel
>>>>>>> http://gamewiki.net/ - Open Videogames Wiki
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Sincerely yours,
>>>> Aleksey V. Zapparov A.K.A. ixti
>>>> FSF Member #7118
>>>> Mobile Phone: +34 617 179 344
>>>> Homepage: http://www.ixti.ru
>>>> JID: [hidden email]
>>>>
>>>> *Origin: Happy Hacking!
>>>
>>>
>>
>>
>>
>> --
>> Sincerely yours,
>> Aleksey V. Zapparov A.K.A. ixti
>> FSF Member #7118
>> Mobile Phone: +34 617 179 344
>> Homepage: http://www.ixti.ru
>> JID: [hidden email]
>>
>> *Origin: Happy Hacking!
>
>