Skip to content

[cookbook/csrf_in_login_form] Confusion around csrf_token_generator and csrf_provider for form_login #6194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gbalcewicz opened this issue Jan 27, 2016 · 3 comments
Closed

[cookbook/csrf_in_login_form] Confusion around csrf_token_generator and csrf_provider for form_login #6194

gbalcewicz opened this issue Jan 27, 2016 · 3 comments
Labels
actionable Clear and specific issues ready for anyone to take them. bug hasPR A Pull Request has already been submitted for this issue. Security

Comments

@gbalcewicz
Copy link

In the docs for 2.7 under the form_login is csrf_token_generator. In docs for 2.8 there is a note that csrf_token_generator was introduced in 2.4. In docs for 2.6 there is csrf_provider.

When using csrf_token_generator in symfony 2.7 we are getting exception:

InvalidConfigurationException in ArrayNode.php line 309: Unrecognized option "csrf_token_generator" under "security.firewalls.main.form_login"

Moreover in the docs for FosUserBundle there is a comment in yml

# if you are using Symfony < 2.8, use the following config instead:
# csrf_provider: form.csrf_provider

It confuses a lot. I assume that csrf_token_generator was introduced in 2.8. Is that right?
@gbalcewicz gbalcewicz changed the title Confusion around csrf_token_generator and csrf_provider for form_login [cookbook/csrf_in_login_form] Confusion around csrf_token_generator and csrf_provider for form_login Jan 27, 2016
@xabbuh
Copy link
Member

xabbuh commented Jan 30, 2016

You are right. For the Form component, the new options have been introduced in Symfony 2.4. The same applies for the csrf_token_generator and csrf_token_id options under the logout section for firewalls (see symfony/symfony#9587). However, for the form login this has only be done in Symfony 2.8 (see symfony/symfony#16704).

This means that we must partly revert the changes from #6152 and add them back after merging the reverted changes up to the 2.8 branch.

@xabbuh xabbuh added the actionable Clear and specific issues ready for anyone to take them. label Jan 30, 2016
@xabbuh xabbuh mentioned this issue Jan 30, 2016
Merged
@xabbuh
Copy link
Member

xabbuh commented Jan 30, 2016

see #6207

@xabbuh xabbuh added the hasPR A Pull Request has already been submitted for this issue. label Jan 30, 2016
xabbuh added a commit that referenced this issue Jan 31, 2016
@xabbuh
minor #6207 revert form login CSRF changes on wrong branch (xabbuh)
f1c30e4 
This PR was merged into the 2.7 branch.

Discussion
----------

revert form login CSRF changes on wrong branch

| Q             | A
| ------------- | ---
| Doc fix?      | yes
| New docs?     | no
| Applies to    | 2.7+
| Fixed tickets | #6194

Commits
-------

3a2a714 revert form login CSRF changes on wrong branch
@xabbuh
Copy link
Member

xabbuh commented Jan 31, 2016

The wrong changes have been revert in #6207 and I have added them back again in 372704b after merging things up to the 2.8 branch. Thank you for reporting this @gbalcewicz!

@xabbuh xabbuh closed this as completed Jan 31, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
actionable Clear and specific issues ready for anyone to take them. bug hasPR A Pull Request has already been submitted for this issue. Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xabbuh @gbalcewicz