Can't get form csrf validation work after upgrade to 4

[WsevoL0D]

Hi, I've had working csrf validation in my app, which had been taken from Vokuro sample app.
After upgrade to phalcon 4.0 I've done all necessary changes, and everything works fine except for csrf validation.
Here is my login form's csrf part:

$csrf = new Hidden('csrf');
$csrf->addValidator(new Identical([
'value' => $this->security->getToken();
'message' => 'CSRF validation failed'
]));
$csrf->clear();
$this->add($csrf);

Here is form's volt template part:

    {{ form.render('csrf', ['value': security.getToken()]) }}

If I try output values of security.getToken from form and from template, they are the same, but Validator always fails.

I've tried different approaches, e.g. remove $csrf->clear(); add $csrf->setDefault($this->security->getToken()) to login form's code.

I've tried new approach from documentation, wasn't able to get it work as well.
Namely:

{{ form.render(security.getTokenKey(), ['value': security.getToken()]) }}

in form template
with

if (!$this->security->checkToken()) {
notify about csrf validation failure 

in session controller. And just element for csrf without validation on form.
Check token always returns null.

Could someone explain to me how do we validate csrf these days?
(Preferably with form validation if this even possible on 4th Phalcon)

[wurst-hans]

This does work in v4. But can't remember, how I did it before, sorry (in the meantime, I've implemented another approach for CSRF check).
One problem was, that Phalcon refreshes token and tokenKey on every request (i.e. every call of checkToken() causes generation of new token), which breaks my app when multiple tabs in browser were opened. So, first thing I've changed, was to overwrite Security class and made CSRF key persistent for current session.
My current implementation is sending forms via Ajax only. For this I'm adding CSRF to Ajax request header and there is a middleware in my Phalcon app, which compares token in HTTP header with CSRF token stored in session.

[WsevoL0D]

Hi, I'm unable to get it to work (new approach from v4 docs) even with one tab and one session.
I feel that either something not working as expected, or just me not understanding docs.

PS. Change all my forms to async would be a bit overkill as I have no reason to make them async beside from csrf.

I've disabled csrf validation for now.(

[accelware]

I'am having the similar problem - please help!

[wurst-hans]

An older project (but on Phalcon 4 already) uses something like this without problems:

LoginForm.php

class LoginForm extends \Phalcon\Forms\Form {
    public function initialize() {
        $field = new Hidden('csrf');
        $field->addValidators([
            new Identical([
                'value' => $this->security->getSessionToken(),
                'message' => $locale->translate('form_csrf_invalid'),
            ]),
        ]);
        $field->clear();
        $this->add($field);
    }
}

LoginController.php

class LoginController extends \Phalcon\Mvc\Controller {
    public function loginAction() {
        $form = new LoginForm();
        if (
            $this->request->isPost() &&
            $form->isValid($this->request->getPost())
        ) {
        // ...
        }
        return $this->view
            ->setVar('form', $form)
            ->render('login');
    }
}

login.volt

{{ form() }}
    <fieldset>
        {{ form.render('csrf', ['value': security.getToken()]) }}
    </fieldset>
</form>

EDIT: While writing this, I see that you use getToken() in your Identical validator instead of getSessionToken. Try to change this first.