Zend framework 2 - csrf regenerates on refresh

Question

I am having a problem with the Zend Framework 2 formElement csrf.

It works fine until I submit an invalid form, hit the same page then refresh the page. A "notTheSame" validation error occurs on the field and the message "The form submitted did not originate from the expected site" appears. And that is correct, because if I check the value of the csrf field, it is different from the one before submission.

The form was working fine before I decided to add the csrf field.

I am creating my csrf field as follow:

class SignupForm extends Form
{
    public function __construct()
    {
        parent::__construct('signup');

        $this->setAttribute('method', 'post')
             ->setHydrator(new ClassMethodsHydrator(false))
             ->setInputFilter(new InputFilter());

        $this->add(array(
             'type' => 'Zend\Form\Element\Csrf',
             'name' => 'csrf',
             'options' => array(
             )
         ));

    // I also add a couple of fieldsets after this

And in the view file :

<?php
$form = $this->form;
$form->setAttribute('action', $this->url('needfunding', array('action' => 'register')));
$form->setAttribute('class', "signup-form start");
$form->prepare();

echo $this->form()->openTag($form);
$applicant = $form->get('applicant');
?>      

<?php $this->FormErrors($form); ?>

<?php echo $this->formRow($form->get('csrf')); ?>

(FormErrors is a view helper that retrieves the form messages and styles them)

In my controller :

   public function signupAction()
    {       
        $form = new SignupForm();

        /* some unrelated code [...]  */            

        $request = $this->getRequest();

        if ($request->isPost()) {

            $category_group_id = $request->getPost()->category_group;

                $selected_categories = array();

                foreach ($categories as $c) { 
                    $selected_categories[$c->getId()]=html_entity_decode($c->getName());
                }

                $form->get('category')->setValueOptions($selected_categories);

            $form->setData($request->getPost());

            if ($form->isValid()) {

        /* some unrelated code [...]  */            

                return $this->redirect()->toRoute('signupconfirmation');
           }
           else {

           }
        }

        return array('form' => $form, 'categories' => $ordered_categories);
    }

I guess my question is, why is my csrf regenerated once I'm back on my form page because the form wasn't valid ?

PS: I could not find my solution in this post Zend Framework 2 CSRF Protection

Answer 1

I had experienced a similar problem. In my case I was using a login form with an Zend\Authentication\Validator\Authentication validation. The validator was destroying the session on each validation attempt, because it was using a Zend\Authentication\AuthenticationService with the default Zend\Authentication\Storage\Session storage. Because the csrf value is stored in session, using the validator caused destroyal of the csrf value, so it had to be recreated on each login form POST attempt.

So, my advice is: try to check whether the session does not get destroyed during the refresh (it should not). This reference might help: http://framework.zend.com/manual/2.2/en/modules/zend.session.config.html