Zend\Form\Element\Csrf pairs with the FormHidden helper to provide protection from CSRF attacks on forms, ensuring the data is submitted by the user session that generated the form and not by a rogue script. Protection is achieved by adding a hash element to a form and verifying it when the form is submitted.

Basic Usage

This element automatically adds a type attribute of value hidden.

use Zend\Form\Element;
use Zend\Form\Form;

$csrf = new Element\Csrf('csrf');

$form = new Form('my-form');

You can change the options of the CSRF validator using the setCsrfValidatorOptions() function, or by using the csrf_options key. Here is an example using array notation:

use Zend\Form\Element;
use Zend\Form\Form;

$form = new Form('my-form');
    'type' => Element\Csrf::class,
    'name' => 'csrf',
    'options' => [
        'csrf_options' => [
            'timeout' => 600,

Multiple CSRF elements must be uniquely named

If you are using more than one form on a page, and each contains its own CSRF element, you will need to make sure that each form uniquely names its element; if you do not, it's possible for the value of one to override the other within the server-side session storage, leading to the inability to validate one or more of the forms on your page. We suggest prefixing the element name with the form's name or function: login_csrf, registration_csrf, etc.

Public Methods

The following methods are specific to the Csrf element; all other methods defined by the parent Element class are also available.

Method signature Description
getInputSpecification() : array Returns an input filter specification, which includes a Zend\Filter\StringTrim filter and Zend\Validator\Csrf to validate the CSRF value.
setCsrfValidatorOptions(array $options) : void Set the options that are used by the CSRF validator.
getCsrfValidatorOptions() : array Get the options that are used by the CSRF validator.
setCsrfValidator(Zend\Validator\Csrf $validator) : void Override the default CSRF validator by setting another one.
getCsrfValidator() : Zend\Validator\Csrf Get the CSRF validator.