Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] : Aligning CSRFtokenId with other code sample#19808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
ThomasLandauer wants to merge3 commits intosymfony:5.4
base:5.4
Choose a base branch
Loading
fromThomasLandauer:patch-6
Open
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 4 additions & 5 deletionssecurity.rst
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -958,10 +958,9 @@ First, you need to enable CSRF on the form login:

.. _csrf-login-template:

Then, use the ``csrf_token()`` function in the Twig template to generate a CSRF
token and store it as a hidden field of the form. By default, the HTML field
must be called ``_csrf_token`` and the string used to generate the value must
be ``authenticate``:
Then, add a hidden field to the form. In order to work with the built-in ``FormLoginAuthenticator``,
the HTML field must be called ``_csrf_token``, and the argument of Twig's ``csrf_token()`` function
must be called ``authenticate``:

.. code-block:: html+twig

Expand All@@ -971,7 +970,7 @@ be ``authenticate``:
<form action="{{ path('app_login') }}" method="post">
{# ... the login fields #}

<input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}">
<input type="hidden" name="_csrf_token" value="{{ csrf_token('login') }}">

<button type="submit">login</button>
</form>
Expand Down
4 changes: 2 additions & 2 deletionssecurity/custom_authenticator.rst
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -349,9 +349,9 @@ would initialize the passport like this::
{
public function authenticate(Request $request): Passport
{
$password = $request->request->get('password');
$username = $request->request->get('username');
$csrfToken = $request->request->get('csrf_token');
$password = $request->request->get('password');
$csrfToken = $request->request->get('_csrf_token');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think we should also revert this change. The underscore prefix is only something used in the build-in authenticator (it's a convention in Symfony to prefix things with an underscore to avoid conflicts with application names).

When implementing a custom authenticator, you can name the field whatever you like and it's better tonot use the underscore prefix as this counters the anti-conflict purpose of the prefix.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

OK, but now the docs are inconsistent (i.e. the HTML shown on one page doesn't work with the PHP code shown on the other page).

Solution? => Show the right HTML code here too!

To make this possible, the list athttps://symfony.com/doc/5.x/security/custom_authenticator.html#passport-badges needs to be changed to sub-headings. Then the PHP code block we're talking about can be moved upwards under the (new) "CsrfTokenBadge" heading (=where it belongs anyway). Then I can add this HTML, resulting in a complete copy-pastable sample:

<inputtype="hidden"name="csrf_token"value="{{ csrf_token('login') }}"><inputtype="text"name="username"><inputtype="password"name="password">

What do you think?


// ... validate no parameter is empty

Expand Down
Loading
[8]ページ先頭
©2009-2025 Movatter.jp