CSRF token error with get forms

[adrian]

I am using getInputfields() and processInput($input->get) to build and process a front-end form. I was using POST, but just changed to GET to handle pagination and bookmarking of results.

Only catch is that I end up with the fatal "This request was aborted because it appears to be forged." error. Removing the token from the URL and reloading the page works fine, as does setting $config->protectCSRF = false; in config.php

Anyone know why I can't use this with GET forms?

If course I could potentially do some hacky things redirecting to remove the token in the url etc, but I think I must be missing the right way to make this work.

[ryan]

Make sure that the form (InputfieldForm) knows that you are using GET:

$form->attr('method', 'get');

That should be enough to disable CSRF protection for that form. If you had a POST form that you didn't want CSRF protection on, you could do it like this:

$form->protectCSRF = false; 

InputfieldForm doesn't even attempt CSRF protection for method=GET forms, so not necessary to do that if the method is already set to get. 

[adrian]

Thanks Ryan - that works perfectly and makes total sense.