Jan 12, 2019 · Jan 12, 2019 · Jan 12, 2019 · Jan 12, 2019 · Jan 12, 2019
diff --git a/http_cache/form_csrf_caching.rst b/http_cache/form_csrf_caching.rst

 To cache a page that contains a CSRF token, you can use more advanced caching
 techniques like :doc:`ESI fragments </http_cache/esi>`, where you cache the full
 page and embedding the form inside an ESI tag with no cache at all.
 page and embedding the form or just the CSRF token inside an ESI tag with no
 cache at all. When you have your custom form theme you can do this by create a
 new token_widget block and call render_esi there:

 .. code-block:: twig

    {%- block token_widget %}
       {{ render_esi(controller('App\\Controller\\FormController::token', { 'form': form.parent.vars.name })) }}
    {%- endblock token_widget -%}

 You can use the ``security.csrf.token_manager`` service to generate a token for your given form:

 .. code-block:: php

    public function token(Request $request, TokenGeneratorInterface $generator)
    {
        $formName = $request->attributes->get('form');
        $csrfToken = $csrfTokenManager->getToken($formName)->getValue();

        $response = new Response(sprintf(
            '<input type="hidden" id="%s__token" name="%s[_token]" value="%s" />',
            $formName,
            $formName,
            $csrfToken
        ));

        // In some cases you have a response listener maybe which will set cache headers
        // automatically most kind of this listener will not set it if cache headers exist
        // so add the following if you want to be sure the response is not cached:
        $response->setPrivate();
        $response->setSharedMaxAge(0);
        $response->setMaxAge(0);
        $response->headers->addCacheControlDirective('must-revalidate', true);
        $response->headers->addCacheControlDirective('no-cache', true);
        $response->headers->addCacheControlDirective('no-store', true);

        return $response;
    }

 Another option would be to load the form via an uncached AJAX request, but
 cache the rest of the HTML response.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -30,7 +30,44 @@ How to Cache Most of the Page and still be able to Use CSRF Protection

		To cache a page that contains a CSRF token, you can use more advanced caching
		techniques like :doc:`ESI fragments </http_cache/esi>`, where you cache the full
		page and embedding the form inside an ESI tag with no cache at all.
		page and embedding the form or just the CSRF token inside an ESI tag with no
		cache at all. When you have your custom form theme you can do this by create a
		new token_widget block and call render_esi there:

		.. code-block:: twig

		{%- block token_widget %}
		{{ render_esi(controller('App\\Controller\\FormController::token', { 'form': form.parent.vars.name })) }}
		{%- endblock token_widget -%}

		You can use the ``security.csrf.token_manager`` service to generate a token for your given form:

		.. code-block:: php

		public function token(Request $request, TokenGeneratorInterface $generator)
		{
		$formName = $request->attributes->get('form');
		$csrfToken = $csrfTokenManager->getToken($formName)->getValue();

		$response = new Response(sprintf(
		'<input type="hidden" id="%s__token" name="%s[_token]" value="%s" />',
		$formName,
		$formName,
		$csrfToken
		));

		// In some cases you have a response listener maybe which will set cache headers
		// automatically most kind of this listener will not set it if cache headers exist
		// so add the following if you want to be sure the response is not cached:
		$response->setPrivate();
		$response->setSharedMaxAge(0);
		$response->setMaxAge(0);
		$response->headers->addCacheControlDirective('must-revalidate', true);
		$response->headers->addCacheControlDirective('no-cache', true);
		$response->headers->addCacheControlDirective('no-store', true);

		return $response;
		}

		Another option would be to load the form via an uncached AJAX request, but
		cache the rest of the HTML response.
Expand Down