Cant get getFormToken() to work

[Joe Palmer]

I asked this on Stack Exchange but haven't got any answers so I'm re-asking this here.

I have used the methods described on this page in Joomla many times before:

http://docs.joomla.org/How_to_add_CSRF_anti-spoofing_to_forms

Now I want to implement the same mechanism using the Joomla Framework and the Framework App. So I have tried this:

$token = $this->app->getFormToken();

But this causes the application to exit. I have stepped through the code and the problem starts in the getFormToken function here:

return md5($this->get('secret') . $userId . $this->session->getToken($forceNew));

$this->get('secret') returns here because there is no dot in 'secret':

if (!strpos($path, '.'))
{
    return (isset($this->data->$path) && $this->data->$path !== null && $this->data->$path !== '') ? $this->data->$path : $default;
}

Then this function runs from Symfony:

public function write($sessionId, $data)
{
    return (bool) $this->handler->write($sessionId, $data);
}

And finally this function runs:

public function close()
{
    $this->active = false;

    return (bool) $this->handler->close();
}

Which exits the application.

What am I doing wrong? Do I need to add a 'secret' somewhere? How should I generate a form token which I then check when the form is submitted?

Thanks for any help you can give.

[Michael Babker]

There should be a 'secret' set in your application's config either by having it in a config file (in the CMS, it's the $secret var in the configuration.php file) or by setting it somewhere in your startup routine (just call $this->set('secret', 'value'); sometime after $this->config has been set).

--
Framework source code: https://github.com/joomla/joomla-framework
Visit http://developer.joomla.org for more information about developing with Joomla!
---
You received this message because you are subscribed to the Google Groups "Joomla! Framework Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-frame...@googlegroups.com.
Visit this group at http://groups.google.com/group/joomla-dev-framework.

[Joe Palmer]

Thanks Michael. I though this might be the case so I added a secret into system and at the root of /App/Config/config.json like this:

{
	"database" : {
		"driver"  : "mysqli",
		"host"    : "localhost",
		"user"    : "user",
		"password": "password",
		"name"    : "name",
		"prefix"  : "app_"
	},
	"renderer" : {
		"type": "twig"
	},
	"system"   : {
		"list_limit": "20",
		"gzip"      : "0",
		"offset"    : "UTC",
		"secret"    : "SeCrEt123"
	},
	"languages": [
		"en-GB"
	],
	"secret"   : "SeCrEt123"
}

But I cant seem to access it from my model with $this->get('secret'), $this->app->get('secret') or $this->config->get('secret'). What is the correct way to access values from config.json in a model? Is this the correct place to set the secret so it is recognised by Joomla and used in getFormToken()?

Many thanks

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-framework+unsub...@googlegroups.com.

[Michael Babker]

The one under the root should get picked up.  If you var_dump $this->config in the application class, you should see it set as part of the object.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-frame...@googlegroups.com.

Visit this group at http://groups.google.com/group/joomla-dev-framework.

--
- Michael

Please pardon any errors, this message was sent from my iPhone.

[Joe Palmer]

Thanks Michael, I got it working.

The bit I was missing was creating the session and associating it with the app.