Using CakePHP 2.1 I have the following code
public function getForm($id=null){
$this->loadModel('DynamicFormResponse');
/**
* Check if form exists
*/
$this->form_schema= $this->DynamicForm->isValidForm($id);
if($this->form_schema == false){
$this->flash("Invalid form", $this->referer(
array('controller'=>"pages", 'action' => 'display')
));
}
...
...
the problem I am facing is that, the call to $this->flash() renders the flash page but also continues the execution of the controller.
So Unless I do something like
if($this->form_schema == false){
$this->flash("Invalid form", $this->referer(
array('controller'=>"pages", 'action' => 'display')
));
return;
}
the controller does not terminate .
The main problem arises when a _crsf_error method is called
function _csrf_error() {
$this->flash("csrf Error", $this->referer(
array('controller'=>"pages", 'action' => 'display')
));
}
Since the flash method does not redirect It offers no csrf protection at all.
Using return; after $this->flash() in the _crsf_error method does not work.
PS: Full code available here
flash() does not redirect, it renders. It is very similar to the render() function, it will continue the execution of the script, unlike the redirect() function.
You just need to organize your logic accordingly, so that no other line is executed after it If you don't want to. Optionally you can use session->setFlash() combined with a redirect.
When dealing with serious errors like an invalid csrf token I'd recommend throwing an exception instead of rendering a nice message to the attacker. You can prettify the exception rendering using the error handler, though.