Zend Form - multiple forms in one page and (CSRF) token validations

Question

I use Zend-Form to generate my forms in my project.

First: How do you handle multiple forms on the same page, and only post the form that is submitted?

Second: When I have two forms on the same page the token will only validate the topmost rendered form in the HTML. The second form with get a "Token does not match" error, thus making the form unable to post. How do you give each form a unique token that does not conflict with the others?

Sincerely, Why

Answer 1

When I have two forms on the same page the token will only validate the topmost rendered form in the HTML. The second form with get a "Token does not match" error, thus making the form unable to post. How do you give each form a unique token that does not conflict with the others?

Tokens on multiple forms are not possible with the current implementation (see initCsrfValidator).

I suggest you generate your own token, store it in the session (with the form ID) and validate it yourself.

Answer 2

I found this question while trying to have two forms on the same page using Zend_Form_Element_Hash. There are two ways to accomplish this, and both are mentioned in the documentation:

The name of the hash element should be unique. We recommend using the salt option for the element- two hashes with same names and different salts would not collide

So...

1. Use a unique name for each Hash element
2. Use a unique salt value for each Hash element