TIP: Use Markdown or, <pre> for multi line code blocks / <code> for inline code.
These forums are read-only and for archival purposes only!
Please join our new forums at discourse.kohanaframework.org
CSRF in Kohana 3.3 - How do you implement this?
  • For Kohana 3.2 I used Skookum/csrf to help handle my submission checks, both on POST and AJAX submissions.

    What is the best practice for 3.3? Do I simply update the module to work for 3.3 or using Security :: token ( ) is suffice?

  • I know that in my previous App, I had a base class, and in the before I did this:

    // If it's a POST request, let's start the validation object
    if ($this->request->method() === Request::POST)
    {
            // Create a validation object for later
            $this->_validation = Validation::factory($this->request->post());
    
            // Add the token check to all post requests as a default
            // Update: In hindsight, the not_empty check isn't even needed...
            $this->_validation->rule('token', 'not_empty');
            $this->_validation->rule('token', 'Security::check');
    }
    

    and then I had this function to validate

    protected function _validate($message_file = '')
    {
        if ($this->_validation->check())
        {
            return TRUE;
        }
    
        $this->_ajax_response('error', $this->_validation->errors($message_file));
    
        return FALSE;
    }
    

    And then in the actual action, I would do this

    if ($this->_validate())
    {
        /**
         * Perform some sort of action
         */
        $action_was_successful = Blah::perform_whatever($arr);
    
        if ($action_was_successful)
        {
            $this->_ajax_response('success');
        }
        else
        {
            $this->_ajax_response('error', 'Error message here');
        }
    }
    

    Then I had an ajax response handler for the response (ouch).

    I'm not sure if I'd do it this way anymore, but it worked great for me at the time, and it provided me with the consistency, because I always needed to perform validation with POSTs.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion