In the new security system, enabling login CSRF protection was simplified toenable_csrf: true, but we didn't change enabling logout CSRF protection. This means that users have to set some very low level configuration options to enable logout CSRF:

security:firewalls:main:logout:csrf_token_generator:security.csrf.token_generator

This PR introduced anenable_csrf option to make this equal to enabling login CSRF protection:

security:firewalls:main:logout:enable_csrf:true# when enabled, the default token generator will be used and# csrf_token_generator can be used to use a custom generator

The feature is fully backwards compatible without BC breaks (i.e. setting a token generator automatically enables CSRF).

wouterj requested a review fromchalasr as acode owner

June 4, 2022 10:54

carsonbot added Status: Needs Review Feature SecurityBundle labels

Jun 4, 2022

carsonbot added this to the6.2 milestone

Jun 4, 2022

Copy link

carsonbot commentedJun 5, 2022

Hey!

I think@TimoBakx has recently worked with this code. Maybe they can help review this?

Cheers!

Carsonbot

fabpot reviewed

Jun 5, 2022

View reviewed changes

src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.phpShow resolvedHide resolved

Copy link

Member

fabpot commentedJul 20, 2022

@wouterj Do you have time to finish this PR?

wouterj force-pushed thesecurity-logout-csrf branch from568d1c4 todf7f680Compare

July 21, 2022 11:11

[SecurityBundle] Add shortcut option to enable logout CSRF protection

380fe72

wouterj force-pushed thesecurity-logout-csrf branch fromdf7f680 to380fe72Compare

July 21, 2022 11:21

Copy link

MemberAuthor

wouterj commentedJul 21, 2022

Sorry, forgot about this one. Ready now :) (the remaining test failures are not related to this PR)

chalasr approved these changes

Jul 21, 2022

View reviewed changes

carsonbot added Status: Reviewed and removed Status: Needs Review labels

Jul 21, 2022

fabpot approved these changes

Jul 21, 2022

View reviewed changes

Copy link

Member

fabpot commentedJul 21, 2022

Thank you@wouterj.

fabpot merged commit951352e intosymfony:6.2

Jul 21, 2022

fabpot mentioned this pull request

Jul 21, 2022

[SecurityBundle] Add shortcut option to enable logout CSRF protectionsymfony/symfony-docs#17027

Closed

wouterj deleted the security-logout-csrf branch

July 21, 2022 11:44

fabpot mentioned this pull request

Oct 24, 2022

Release v6.2.0-BETA1#47972

Merged

MatTheCat mentioned this pull request

Nov 26, 2022

[SecurityBundle] Fixlogout.csrf_token_generator default value#48341

Merged

fabpot added a commit that referenced this pull request

Nov 26, 2022

bug#48341[SecurityBundle] Fixlogout.csrf_token_generatordefault…

25026b3

… value (MatTheCat)This PR was merged into the 6.2 branch.Discussion----------[SecurityBundle] Fix `logout.csrf_token_generator` default value| Q             | A| ------------- | ---| Branch?       | 6.2| Bug fix?      | yes| New feature?  | no| Deprecations? | no| Tickets       |Fix#48339| License       | MIT| Doc PR        | N/AThe token **manager** service ID configuration node is called <code>csrf_token_**generator**</code>. As such it has been wrongly assumed in#46580 `security.csrf.token_generator` was a good default value, whereas `security.csrf.token_manager` should be used (this is reflected by [the documentation](https://symfony.com/doc/current/reference/configuration/security.html#csrf-token-generator)).`csrf_token_generator` should ideally be deprecated and renamed `csrf_token_manager`.Commits-------df539e2 [SecurityBundle] Fix `logout.csrf_token_generator` default value