CSRF and load balancing

Hello there!

I have a question regarding CSRF-validation and load balancing:

I’m using a load balancer between two servers, and I have the sessions in db. This works fine and sessions are handled correctly.

The problem I have, is that when the CSRF-validation is set to true in the main-config, the CSRF-token is not verified when the load balancer switches between the servers.

Does anyone have any solution for this? Should I save the CSRF-token on the file server or in db? The CSRF-cookie doesn’t work at all here.


Is the problem you are experiencing caused by your form taking the value from the session variable rather than the db variable?

Of course the session variable may differ between servers if done this way.

We are using shared sessions via db, but the CSRF-token is in a cookie, and it is always created when a form is created. So, when the server switches, the CSRF-token value is changed, which leads to that the CSRF-token is not validated. I don’t really know what to do here, as it would be essential to have the CSRF-validation on.

It would be nice to be able to configure the CSRF-validation to skip validation from predefined servers.

Sorry to resurrect this topic, but I’m facing the same problem. Has anyone found a workable solution? Preferably involving replicating the CSRF token via db or something similar?

I want to deploy my Yii application in two web servers. I just got an idea: resolve load balancing through the links. That is, I will configure two web servers:

Web server 1 with two domains: www.mydomain.com and ws1.mydomain.com

Web server 2 with one domain: ws1.midominio.com

Then, if a page contains five links, their URLs will be, for example:






I was wondering if this solution may has any problem. Tecnically, I don’t see any problem, but maybe with search engines. What do you think?

Can’t you just change the cookie settings for the CSRF cookie to be higher up the domain?

.mydomain.com instead of ws1.mydomain.com?

Just modify it through CHttpRequest::csrfCookie, which you can do in the config file, via the components