CActiveForm and CSRF

shoaibi · May 31, 2012, 4:33am

I am using CActiveForms throughout my application. The problem that i am facing right now is that if a user has a form open for too long without submission and then when he tries to submit he gets HTTP 400 Exception, The CSRF token could not be verified.

Because i have also enabled the OnChange Validation of CActiveForm fields, this can also be observed without actually doing a submission but only by changing a field value.

My problem:

a- How can i prevent it altogether?

b- If (a) is not possible, how can i show user that he needs to reload page to submit form? Should i extend CFormModel and do a try-catch somewhere?

Rupert · May 31, 2012, 5:42pm

I would think you’ll either need to turn off the CSRF, or add some kind of Javascript to your page to periodically refresh it.

le_top · June 2, 2014, 1:00pm

Hi

I was looking for something else, just stumbled on this entry.

For those looking how to monitor the CSRF token, check out my wiki page: http://www.yiiframework.com/wiki/506/checking-for-expired-sessions-logins-on-the-client-side/