这有点难以解释,我在寄存器脚本的同一页面上有一个注册表单,我使用令牌使用CSRF保护。生成页面时,令牌生成为SESSION变量。我有一个函数,在POST数据被提交以注册用户时执行。提交数据时,脚本会重新生成另一个令牌,因此我无法根据会话变量检查令牌。如果我删除功能包装,那么请看看下面的代码然后一切正常。我有这个功能的原因是在某个div中显示错误。我所有的PHP类都运行正常,这不是问题,但如果你需要查看代码,请问。
代码:
<?php
require_once "assets/php/core/init.php";
require_once "assets/php/core/autoload.php";
function register(){
if(Input::exists()){
if(Token::check(Input::get("token"))){
echo 'Token Checked';
$spamField = Input::get("automated");
if(!isset($spamField)){
$Validation = new Validation();
$Validation->validate(array(
'username' => array(
'key' => 'Username',
'value' => Input::get("username"),
'min' => '1',
'max' => '32',
'alphanumeric' => true,
'required' => true
),
'email' => array(
'key' => 'E-Mail',
'value' => Input::get("email"),
'max' => '128',
'email' => true,
'required' => true
),
'password' => array(
'key' => 'Password',
'value' => Input::get("password"),
'required' => true
)
));
if($Validation->passed()){
echo 'OK';
} else {
foreach($Validation->errors() as $error){
echo $error . '<br>';
}
}
}
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Codemy - Register</title>
<link rel="stylesheet" type="text/css" href="assets/css/core/core.css">
<link rel="stylesheet" type="text/css" href="assets/css/core/fonts.css">
<link rel="stylesheet" type="text/css" href="assets/css/extra/fontello/css/fontello.css">
<script type="text/javascript" src="assets/js/extra/jquery.js"></script>
<script type="text/javascript" src="assets/js/core/core.js"></script>
</head>
<body>
<header>
<div class="row">
<div class="container clearfix">
<div id="logo"><a href="./">Codemy</a></div>
<ul class="right links">
<li><a href="#" class="fade-in">Features</a></li>
<li><a href="#" class="fade-in">Premium</a></li>
<li><a href="#" class="fade-in">Explore</a></li>
<li><a href="login.php" class="btn btn-primary btn-red fade-in toggle">Sign In</a></li>
</ul>
</div>
</div>
</header>
<main>
<section>
<div class="row">
<div class="box-half white-background">
<form class="form" method="post" action="register.php">
<div class="form-header clearfix">
<div class="column half">
<h1 class="form-title left">Create an Account for Free</h1>
</div>
<div class="column half">
<p class="right form-note">Have an account? <a href="login.php" class="red
secondary">Click
Here</a></p>
</div>
</div>
<div class="form-body">
<div class="box-two-thirds">
<div class="row">
<label form="username" class="form-label">Username:</label>
<input id="username" type="text" name="username" class="form-input fade-in width-full"
placeholder="Username" autocomplete="off" autofocus="true">
</div>
<div class="row">
<label form="email" class="form-label">E-Mail:</label>
<input id="email" type="text" name="email" class="form-input fade-in width-full"
placeholder="E-Mail" autocomplete="off">
</div>
<div class="row">
<label form="password" class="form-label">Password:</label>
<input id="password" type="password" name="password" class="form-input fade-in
width-full" placeholder="Password" autocomplete="off">
</div>
<div class="row">
<input type="submit" name="submit" class="btn btn-medium btn-primary btn-red
width-full fade-in" value="Get Started For Free">
</div>
<div class="row">
<input type="text" name="automated" class="hidden">
<input type="hidden" name="token" value="<?php echo Token::generate(); ?>">
</div>
<div class="row">
<p><?php register(); ?></p>
</div>
</div>
</div>
<div class="form-footer">
<p class="form-note">By signing up, you agree to our <a href="#" class="red
secondary">Terms of Service</a></p>
</div>
</form>
</div>
</div>
</section>
</main>
<footer>
<div class="container">
<div class="row clearfix">
<p class="left no-margin" style="line-height: 75px;">Built In Chicago | © 2014 Codemy</p>
<div class="right">
<ul class="footer-links">
<li><a href="#">Terms</a></li>
<li><a href="#">Privacy Policy</a></li>
<li><a href="#">Help</a></li>
<li><a href="#">Contact</a></li>
</ul>
</div>
</div>
</div>
</footer>
</body>
</html>
答案 0 :(得分:0)
我认为您需要手动保留以前生成的唯一令牌的记录。通过这种方式,您可以针对“previousToken”检查POST,并使用新令牌执行其他操作。
看起来像这样:
$_SESSION['previousToken'] = $_SESSION['Token'];
这对你有什么帮助吗?