Commitd9935a3

committed

feature#4141 Notes about caching pages with a CSRF Form (ricardclau)

This PR was merged into the 2.3 branch.Discussion----------Notes about caching pages with a CSRF Form| Q | A| ------------- | ---| Doc fix? | no| New docs? | no| Applies to | all| Fixed tickets |#1216Commits-------1bc7ef2 cache_csrf_form

2 parentsf43e923 +1bc7ef2 commitd9935a3Copy full SHA for d9935a3

File tree

4 files changed

+59

-0

lines changed

book
- forms.rst
cookbook
- cache
  - form_csrf_caching.rst
  - index.rst
- map.rst.inc

4 files changed

+59

-0

lines changed

`‎book/forms.rst‎`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1791,6 +1791,13 @@ section.`
`1791`	`1791`	The ``intention`` option is optional but greatly enhances the security of
`1792`	`1792`	`the generated token by making it different for each form.`
`1793`	`1793`
	`1794`	`+..caution::`
	`1795`	`+`
	`1796`	`+ CSRF tokens are meant to be different for every user. This is why you`
	`1797`	`+ need to be cautious if you try to cache pages with forms including this`
	`1798`	`+ kind of protection. For more information, see`
	`1799`	+:doc:`/cookbook/cache/form_csrf_caching`.
	`1800`	`+`
`1794`	`1801`	`..index::`
`1795`	`1802`	`single: Forms; With no class`
`1796`	`1803`
`@@ -1931,6 +1938,8 @@ Learn more from the Cookbook`
`1931`	`1938`	*:doc:`/cookbook/form/form_customization`
`1932`	`1939`	*:doc:`/cookbook/form/dynamic_form_modification`
`1933`	`1940`	*:doc:`/cookbook/form/data_transformers`
	`1941`	+*:doc:`/cookbook/security/csrf_in_login_form`
	`1942`	+*:doc:`/cookbook/cache/form_csrf_caching`
`1934`	`1943`
`1935`	`1944`	.. _`Symfony Form component`:https://github.com/symfony/Form
`1936`	`1945`	.. _`DateTime`:http://php.net/manual/en/class.datetime.php

`‎cookbook/cache/form_csrf_caching.rst‎`

Lines changed: 48 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,48 @@`
	`1`	`+..index::`
	`2`	`+ single: Cache; CSRF; Forms`
	`3`	`+`
	`4`	`+Caching Pages that Contain CSRF Protected Forms`
	`5`	`+===============================================`
	`6`	`+`
	`7`	`+CSRF tokens are meant to be different for every user. This is why you`
	`8`	`+need to be cautious if you try to cache pages with forms including them.`
	`9`	`+`
	`10`	`+For more information about how CSRF protection works in Symfony, please`
	`11`	+check:ref:`CSRF Protection<forms-csrf>`.
	`12`	`+`
	`13`	`+Why Reverse Proxy Caches do not Cache these Pages by Default`
	`14`	`+------------------------------------------------------------`
	`15`	`+`
	`16`	`+There are many ways to generate unique tokens for each user but in order get`
	`17`	`+them validated when the form is submitted, you need to store them inside the`
	`18`	`+PHP Session.`
	`19`	`+`
	`20`	`+If you are using Varnish or some similar reverse proxy cache and you try to cache`
	`21`	`+pages containing forms with CSRF token protection, you will see that, by default,`
	`22`	`+the reverse proxy cache refuses to cache.`
	`23`	`+`
	`24`	`+This happens because a cookie is sent in order to preserve the PHP session open and`
	`25`	`+Varnish default behaviour is to not cache HTTP requests with cookies.`
	`26`	`+`
	`27`	`+If you think about it, if you managed to cache the form you would end up`
	`28`	`+with many users getting the same token in the form generation. When these`
	`29`	`+users try to send the form to the server, the CSRF validation will fail for`
	`30`	`+them because the expected token is stored in their session and different`
	`31`	`+for each user.`
	`32`	`+`
	`33`	`+How to Cache Most of the Page and still Be Able to Use CSRF Protection`
	`34`	`+----------------------------------------------------------------------`
	`35`	`+`
	`36`	`+To cache a page that contains a CSRF token you can use more advanced caching`
	`37`	+techniques like `ESI`_ fragments, having a TTL for the full page and embedding
	`38`	`+the form inside an ESI tag with no cache at all.`
	`39`	`+`
	`40`	`+Another option to be able to cache that heavy page would be loading the form`
	`41`	`+via an uncached AJAX request but cache the rest of the HTML response.`
	`42`	`+`
	`43`	`+Or you can even load just the CSRF token with an AJAX request and replace the`
	`44`	`+form field value with it.`
	`45`	`+`
	`46`	+.. _`Cross-site request forgery`:http://en.wikipedia.org/wiki/Cross-site_request_forgery
	`47`	+.. _`ESI`:http://www.w3.org/TR/esi-lang
	`48`	+.. _`Security CSRF Component`:https://github.com/symfony/security-csrf

`‎cookbook/cache/index.rst‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -5,3 +5,4 @@ Cache`
`5`	`5`	`:maxdepth:2`
`6`	`6`
`7`	`7`	`varnish`
	`8`	`+form_csrf_caching`

`‎cookbook/map.rst.inc‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@`
`20`	`20`	* :doc:`/cookbook/cache/index`
`21`	`21`
`22`	`22`	* :doc:`/cookbook/cache/varnish`
	`23`	+* :doc:`/cookbook/cache/form_csrf_caching`
`23`	`24`
`24`	`25`	`*Composer`
`25`	`26`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commitd9935a3

File tree

4 files changed

4 files changed

`‎book/forms.rst‎`

`‎cookbook/cache/form_csrf_caching.rst‎`

`‎cookbook/cache/index.rst‎`

`‎cookbook/map.rst.inc‎`

0 commit comments