Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] No CSRF in the login form? #3059

Closed
Gregwar opened this issue Oct 10, 2013 · 2 comments
Closed

[Security] No CSRF in the login form? #3059

Gregwar opened this issue Oct 10, 2013 · 2 comments
Labels
actionable Clear and specific issues ready for anyone to take them. Form hasPR A Pull Request has already been submitted for this issue. Security

Comments

@Gregwar
Copy link

Gregwar commented Oct 10, 2013

In the login form of the documentation, there is no CSRF protection.
I think that forcing an user to login may be a security issue in some cases.

Any opinion on that?
@Gregwar
Copy link
Author

Gregwar commented Oct 10, 2013

This kind of thing could be done like the code shown in this accepted PR:
symfony/symfony#3080

@wouterj
Copy link
Member

wouterj commented Dec 3, 2013

The login form would benefit from a CSRF protection, mostly because people having issues with this. But this topic is too big to talk about in the book chapter, a new article should be created in cookbook/security which talks about this topic. And in the book chapter, in the "Using a Traditional Login Form" section, a .. caution should be added, talking about CSRF and linking to this cookbook article.

Globally speaking, the CSRF is handled by the security system. The only thing you need to do is adding a field and configuring it.

To configure it, you need to set the csrf_provider:

security:
    firewalls:
        secured_area:
            # ...
            login:
                # ...
                csrf_provider: form.csrf_provider

Now, you need to render a field in the form with the name of _csrf_token (this can be changed by setting csrf_parameter) and then generate the csrf (using the csrf_token function seen in symfony/symfony#3080 ) with the id authenticate (this can be changed by the intention setting):

<input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}">

To make things easier, the option have been renamed in 2.4. After the PR is merged, this should be reflected:

  • csrf_provider -> csrf_token_provider
  • intention -> csrf_token_id

@wouterj wouterj mentioned this issue Dec 14, 2013
Merged
@Raistlfiren Raistlfiren mentioned this issue Dec 2, 2015
Closed
@xabbuh xabbuh mentioned this issue Jan 15, 2016
Merged
weaverryan added a commit that referenced this issue Jan 16, 2016
@weaverryan
bug #6152 csrf_token_generator and csrf_token_id documentation (Raist…
559748b 
…lfiren, Aaron Valandra, xabbuh)

This PR was merged into the 2.7 branch.

Discussion
----------

csrf_token_generator and csrf_token_id documentation

| Q             | A
| ------------- | ---
| Doc fix?      | no
| New docs?     | yes (symfony/symfony#6554, symfony/symfony#9587)
| Applies to    | 2.4+
| Fixed tickets | #3059, #5942

Commits
-------

304d7a5 finish csrf_token_generator and csrf_token_id docs
3ceb61c Improper markdown for versionadded.
91b5e2e Updated documentation as requested by @stof and @xabbuh
0044aa2 Updated csrf_in_login_form.rst to include csrf_token_id and csrf_token_generator
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
actionable Clear and specific issues ready for anyone to take them. Form hasPR A Pull Request has already been submitted for this issue. Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@weaverryan @Gregwar @wouterj