From 11383f8ad5be5abed7fe006110a57a8b518809ca Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Thu, 28 May 2015 12:41:39 +0200 Subject: [PATCH] 4668 document isCsrfTokenValid --- book/controller.rst | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/book/controller.rst b/book/controller.rst index 7ec7bd4ae3a..18555aeb521 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -440,7 +440,7 @@ If you want to redirect the user to another page, use the ``redirectToRoute()`` } .. versionadded:: 2.6 - The ``redirectToRoute()`` method was added in Symfony 2.6. Previously (and still now), you + The ``redirectToRoute()`` method was introduced in Symfony 2.6. Previously (and still now), you could use ``redirect()`` and ``generateUrl()`` together for this (see the example above). Or, if you want to redirect externally, just use ``redirect()`` and pass it the URL:: @@ -803,6 +803,28 @@ Just like when creating a controller for a route, the order of the arguments of order of the arguments, Symfony will still pass the correct value to each variable. +Validating a CSRF Token +----------------------- + +Sometimes you want to use CSRF protection in an action where you don't want to use the +Symfony Form component. + +If, for example, you're doing a DELETE action, you can use the +:method:`Symfony\\Bundle\\FrameworkBundle\\Controller\\Controller::isCsrfTokenValid` +method to check the CSRF token:: + + if ($this->isCsrfTokenValid('token_id', $submittedToken)) { + // ... do something, like deleting an object + } + +.. versionadded:: 2.6 + The ``isCsrfTokenValid()`` shortcut method was introduced in Symfony 2.6. + It is equivalent to executing the following code:: + + use Symfony\Component\Security\Csrf\CsrfToken; + + $this->get('security.csrf.token_manager')->isTokenValid(new CsrfToken('token_id', 'TOKEN')); + Final Thoughts --------------