ThinkPHP form token error and Solution Analysis, thinkphp token

ThinkPHP form token error and Solution Analysis, thinkphp token

This article describes the form token errors and solutions in ThinkPHP. We will share this with you for your reference. The details are as follows:

During project development, when adding and Editing data, the system occasionally prompts "form token error". I didn't care much at first, it was not until this afternoon that QA mentioned this issue to the bug system. It was just a few minutes before we had time to wait, so we followed the source code of TP3.13 and read it. A few minutes later, we knew the original Committee was ready.

To enable the form token in a project, you must configure the following in the configuration file:

// Whether to enable TOKEN verification 'token _ on' => true, // The hidden field NAME of the form for TOKEN verification 'token _ name' => '_ hash __', // The default TOKEN hash verification rule is MD5 'token _ type' => 'md5'. // whether to RESET the TOKEN after a TOKEN verification error is set to true 'token _ reset' => true

Take data editing as an example. Generally, a Model on the server is used to write a field Filtering Rule, and an Action is used to write data detection code, as shown in figure

$table = D('table');if(!$table->create()){  exit($this->error($table->getError()));}

In this case, double-click create () on the IDE to locate the create method in Model. class. php In the TP framework.

/*** Create a data object but not save it to the database * @ access public * @ param mixed $ data create data * @ param string $ type status * @ return mixed */public function create ($ data = '', $ type = ''){...... Omitted ...... // Form token verification if (! $ This-> autoCheckToken ($ data) {$ this-> error = L ('_ TOKEN_ERROR _'); return false ;}...... Omitted ......}

The code will understand that an error will be reported when the autoCheckToken method fails to be detected, so we will track this method.

// Automatic form token verification // TODO ajax does not refresh multiple submissions. Currently, public function autoCheckToken ($ data) cannot be used. {// token (false) is supported) disable token verification // If the D method is written in Action, but there is no corresponding Model file, then $ this-> options is null if (isset ($ this-> options ['Token']) &! $ This-> options ['Token']) return true; if (C ('token _ on') {$ name = C ('token _ name '); if (! Isset ($ data [$ name]) |! Isset ($ _ SESSION [$ name]) {// invalid token data return false;} // token verification list ($ key, $ value) = explode ('_', $ data [$ name]); if ($ value & $ _ SESSION [$ name] [$ key] ===$ value) {// prevent repeated unset commit ($ _ SESSION [$ name] [$ key]); // verify that the session is destroyed and return true ;} // enable TOKEN to RESET if (C ('token _ reset') unset ($ _ SESSION [$ name] [$ key]); return false;} return true ;}

After reading this code, we will find that $ _ SESSION [$ name] exists in the first judgment. Where did this seesion variable come from? It has to start from the Token Generation, locate TokenBuildBehavior. class. PHP File

// Create form TOKEN private function buildToken () {$ tokenName = C ('token _ name'); $ tokenType = C ('token _ type'); if (! Isset ($ _ SESSION [$ tokenName]) {$ _ SESSION [$ tokenName] = array ();} // identify the uniqueness of the current page $ tokenKey = md5 ($ _ SERVER ['request _ URI ']); if (isset ($ _ SESSION [$ tokenName] [$ tokenKey]) {// the same page does not repeatedly generate session $ tokenValue =$ _ SESSION [$ tokenName] [$ tokenKey];} else {$ tokenValue = $ tokenType (microtime (TRUE )); $ _ SESSION [$ tokenName] [$ tokenKey] = $ tokenValue;} $ token = '<input type = "hidden" name = "'. $ tokenName. '"value = "'. $ tokenKey. '_'. $ tokenValue. '"/>'; return $ token ;}

This code section uses the md5 value of TOKEN_NAME and the current URI as the token when form verification is enabled by TP. When the user submits the form, verify whether the session exists. If no session exists, false is returned. If yes, it is followed by the TOKEN_NAME verification of the form field, if you delete this session first (avoid the first form token error when submitting it next time), true is returned; otherwise, false is returned.

OK, return to the topic. There are only two possible reasons for the token error in Form submission under TP.

1. when the token is enabled, no TOKEN_NAME field or corresponding session exists in the submitted form (the corresponding session is not generated in the current submitted form environment, this is mainly because after the user submits an error, the user refresh the current page, and the editing page and display page are in the same method)

2. There are session variables, but the values are different

The reason why this error occurs in our project is as follows:

return array (  'TOKEN_ON' => 'false',  'TOKEN_NAME' => '__hash__',  'TOKEN_TYPE' => 'md5',  'TOKEN_RESET' => 'true',  'DB_FIELDTYPE_CHECK' => 'true');

Originally, it should be written as a Boolean value of false. I don't know which of the following heroes may write as a string of false. In this case, the logic of enabling the form token will be used to determine the value, and in the project, adding, editing, and displaying are the same method. If an error occurs during verification, the general program processing logic will return the original interface, so it is the same form as the previous one, continuous submission of the same form is equivalent to repeated submission, and a "form token error" is reported ".