2

I'm using Symfony 2.1 to build a website with a little login form. I'm following the tutorial at this link but I don't see any part talking about the CSRF protection. However, here there are all the options for the login security and at the end I can clearly see that that type of protection should be supported. I don't understand how to use it

Stefano
  • 3,213
  • 9
  • 60
  • 101

2 Answers2

2

Here you can read in details about CSRF protection in version 2.1

In case if you don't use form classes for your forms, you can simply use csrf_token function (don't forget to pass your intention string there, which is empty by default):

<input type="hidden" name="token" value="{{ csrf_token('') }}">

It is defined here and in default cases will execute this method.

May be these answers might be useful for you also:

https://stackoverflow.com/a/12054712/970721
https://stackoverflow.com/a/11632713/970721

Community
  • 1
  • 1
Vitalii Zurian
  • 17,858
  • 4
  • 64
  • 81
  • the login form doesn't have a form class, so I can't use that methods – Stefano Oct 07 '12 at 21:26
  • Thank you but I don't think this is what I'm searching. Shouldn't that things be for classic forms? I though that there was some form field for the login form to go get automatically via twig – Stefano Oct 07 '12 at 21:55
  • that method prints a string that seems the csrf token, however having it or not doesn't make difference in the login form. It seems that symfony doesn't check it. But in the config options the csrf should be enabled by default in the login process – Stefano Oct 08 '12 at 11:46
  • I had to set the csrf provider for the login form and then it worked. The only thing that I hate is the fact that I must write explicity the intention using the csrf_token function, instead I though there was a quick way to get if from the security login options – Stefano Oct 09 '12 at 17:01
0

Nothing is preventing you from creating a form class for login. All you need to do is to tell the login controller the names of the generated fields:

form_login:
    username_parameter: login[username]
    password_parameter: login[password]
    csrf_parameter:     login[_token]

and set the form's CSRF intention to authenticate:

public function setDefaultOptions(OptionsResolverInterface $resolver)
{
    $resolver->setDefaults([
        'intention' => 'authenticate',
    ]);
}
Elnur Abdurrakhimov
  • 44,533
  • 10
  • 148
  • 133