fuel_csrf_token() wont generate token.

[Ghostff]

This use to wok before but all of a sudden it stopped. I downloaded a new one and added this:

<?= Security::js_fetch_token(); ?>
<script>
console.log(fuel_csrf_token());
</script>

to the views > welcome > index.php the fuel_csrf_token it created the fuel_csrf_token function and that's it.

[WanWizard]

You upgraded your PHP version, and short tags are now disabled? It still works fine here:

[wanwizard@catwoman] $ oil console
Fuel 1.9-dev - PHP 5.6.25 (cli) (Aug 24 2016 07:55:57) [Linux]
>>> Security::js_fetch_token();
<script type="text/javascript">\n\tfunction fuel_csrf_token()\n\t{\n\t\tif (document.cookie.length > 0)\n\t\t{\n\t\t\tvar c_name = "fuel_csrf_token";\n\t\t\tc_start = document.cookie.indexOf(c_name + "=");\n\t\t\tif (c_start != -1)\n\t\t\t{\n\t\t\t\tc_start = c_start + c_name.length + 1;\n\t\t\t\tc_end = document.cookie.indexOf(";" , c_start);\n\t\t\t\tif (c_end == -1)\n\t\t\t\t{\n\t\t\t\t\tc_end=document.cookie.length;\n\t\t\t\t}\n\t\t\t\treturn unescape(document.cookie.substring(c_start, c_end));\n\t\t\t}\n\t\t}\n\t\treturn "";\n\t}\n</script>\n
>>> exit

[Ghostff]

It generates the js function . But it seems to fall out after if (c_start != -1) and wen i log c_start i get -1

[WanWizard]

If you get -1 there, the csrf cookie does not exist.

Are you changing the name of the cookie in your app after the Security class is loaded?

[Ghostff]

please take a look at this VIDEO

[WanWizard]

For the audience: you downloaded the framework, added the call to the welcome controller, and then discovered it doesn't work. Rightly so, because as I wrote before, the cookie needs to exist before this will work.

And you have done nothing yet to create the cookie. The cookie is only created when you call Security::set_token() or Security::fetch_token(), something that happens automatically when you create a form that includes a CSRF token, for example by using Form::csrf().

[Art4]

In other words: Try this:

<?php echo Form::csrf(); ?>

<?php echo Security::js_fetch_token(); ?>
<script>
console.log(fuel_csrf_token());
</script>

[Ghostff]

Is there any reason why it worked before (like it use to generate token without the <?php Security::fetch_token() ?>)

[WanWizard]

I wouldn't know, it has always worked like this. DId you have security.csrf_autoload enabled in your config by any chance? That is the only thing that would trigger creation of the cookie on every request.

Obviously, in any app, the first page with a form (and a csrf token) would create the cookie, and the cookie would exist until you close the browser, also on pages that don't have a token. Also check the value of security.csrf_expiration in your config file, that would influence the lifespan of the cookie.

[WanWizard]

This may have caused a change in behaviour, in case you have a config file that doesn't include the csrf_autoload key: 5b40721

[WanWizard]

@Ghostff any more feedback on this topic?

[Ghostff]

nah, it just works well adding Security::set_token() to my bootstrap. but still works well at my other pc without Security::set_token() and security.csrf_autoload not enabled

[WanWizard]

With the same codebase? Or with a pre-1.8 version of Fuel that had autoload enabled by default?

[Ghostff]

i switch to a new pc, and installed fuel 1.8.0, it generates a token by itself (didnt include Security::set_token(), Security::fetch_token() and security.csrf_autoload is false), logs me out after the second refresh on ajax login.

[WanWizard]

Logins are not controlled by the CSRF token, so I can't see the connection between the two.

How do you install "1.8.0"? And do you run a composer update after that to fetch the latest hotfixes for 1.8.0?

[Ghostff]

like i validate CSFR before login more like if (Security::check_token(Input::post('__token'))) { ..} and it happens to be true without Security::set_token(), Security::fetch_token() or security.csrf_autoload enabled and yes i updated code sample