This section is talking about the build-in form login authenticator. Youmust define it asauthenticate to make it work with this authenticator.

I think we can improve the wording onhttps://symfony.com/doc/current/security/csrf.html#csrf-protection-in-login-forms, but the change in this document must be reverted. A suggested rewording for the linked section:

- See :ref:`form_login-csrf` for a login form that is protected from CSRF+ When using the ``form_login`` authenticator, see :ref:`form_login-csrf` to protected from  attacks. You can also configure the  :ref:`CSRF protection for the logout action <reference-security-logout-csrf>`.+ When implementing a custom authenticator, use the ``CsrfTokenBadge`` on the+ :doc:`security passport </security/custom_authenticator>`.

OK, I changed it, please take a look now.

For your suggested change, I'll come back to it after we found a solution for the below conversation.

I think we should also revert this change. The underscore prefix is only something used in the build-in authenticator (it's a convention in Symfony to prefix things with an underscore to avoid conflicts with application names).

When implementing a custom authenticator, you can name the field whatever you like and it's better tonot use the underscore prefix as this counters the anti-conflict purpose of the prefix.

OK, but now the docs are inconsistent (i.e. the HTML shown on one page doesn't work with the PHP code shown on the other page).

Solution? => Show the right HTML code here too!

To make this possible, the list athttps://symfony.com/doc/5.x/security/custom_authenticator.html#passport-badges needs to be changed to sub-headings. Then the PHP code block we're talking about can be moved upwards under the (new) "CsrfTokenBadge" heading (=where it belongs anyway). Then I can add this HTML, resulting in a complete copy-pastable sample:

<inputtype="hidden"name="csrf_token"value="{{ csrf_token('login') }}"><inputtype="text"name="username"><inputtype="password"name="password">

What do you think?