Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork5.2k
[Security] Stateless CSRF is enabled by default in 7.2#20994
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
0e258f7 intosymfony:7.2Uh oh!
There was an error while loading.Please reload this page.
javiereguiluz commentedMay 27, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Thanks Thomas! We tweaked this a bit to remove the "set as default" mention from the versionadded directive. These directives should only contain the usual"XXX feature was introduced in Symfony YYY" because we delete them in new major Symfony versions and we don't want to lose any important information. Thanks! |
wouterj commentedMay 27, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
I don't think this change is correct. By default, CSRF is stateful. It's only stateless when configuring the token id as stateless using |
@wouterj Isn't that what the recipe is doing (see link above)? |
This should be reverted indeed. The doc is not about what recipes do, but about what can be done (with or without recipes) |
While merging I added this: Is this OK, or should we still revert this merge? |
works for me, thanks. |
Page:https://symfony.com/doc/current/security/csrf.html#stateless-csrf-tokens
Info is taken fromhttps://github.com/symfony/recipes/blob/main/symfony/form/7.2/config/packages/csrf.yaml