From 0044aa24d2cf2d7fd5fc06ac475c6fef38969cb9 Mon Sep 17 00:00:00 2001 From: Raistlfiren Date: Tue, 1 Dec 2015 09:17:18 -0600 Subject: [PATCH 1/4] Updated csrf_in_login_form.rst to include csrf_token_id and csrf_token_generator Updated CSRF documentation to rename intention and csrf_provider. They were renamed in SF 3.0 to csrf_token_id and csrf_token_generator. --- cookbook/security/csrf_in_login_form.rst | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/cookbook/security/csrf_in_login_form.rst b/cookbook/security/csrf_in_login_form.rst index b7649aa92f7..dc40fd8f5f8 100644 --- a/cookbook/security/csrf_in_login_form.rst +++ b/cookbook/security/csrf_in_login_form.rst @@ -13,6 +13,10 @@ for CSRF. In this article you'll learn how you can use it in your login form. Login CSRF attacks are a bit less well-known. See `Forging Login Requests`_ if you're curious about more details. +.. note:: + + Since SF 2.8 ``intention`` has been depreciated, and removed in SF 3.0. It is now labeled as ``csrf_token_id``. ``csrf_provider`` was changed in SF 3.0 to ``csrf_token_generator``. + Configuring CSRF Protection --------------------------- @@ -33,7 +37,9 @@ provider available in the Security component: # ... form_login: # ... - csrf_provider: security.csrf.token_manager + # Use csrf_provider in SF <2.8 + # csrf_provider: security.csrf.token_manager + csrf_token_generator: security.csrf.token_manager .. code-block:: xml @@ -66,7 +72,9 @@ provider available in the Security component: // ... 'form_login' => array( // ... - 'csrf_provider' => 'security.csrf.token_manager', + // Use csrf_provider in SF <2.8 + // 'csrf_provider' => 'security.csrf.token_manager', + 'csrf_token_generator' => 'security.csrf.token_manager', ), ), ), @@ -122,7 +130,7 @@ After this, you have protected your login form against CSRF attacks. .. tip:: You can change the name of the field by setting ``csrf_parameter`` and change - the token ID by setting ``intention`` in your configuration: + the token ID by setting ``csrf_token_id`` ~~``intention``~~ in your configuration: .. configuration-block:: @@ -138,7 +146,8 @@ After this, you have protected your login form against CSRF attacks. form_login: # ... csrf_parameter: _csrf_security_token - intention: a_private_string + # intention: a_private_string + csrf_token_id: a_private_string .. code-block:: xml @@ -156,7 +165,8 @@ After this, you have protected your login form against CSRF attacks. + csrf_token_id="a_private_string" /> @@ -174,7 +184,8 @@ After this, you have protected your login form against CSRF attacks. 'form_login' => array( // ... 'csrf_parameter' => '_csrf_security_token', - 'intention' => 'a_private_string', + 'csrf_token_id' => 'a_private_string' + // 'intention' => 'a_private_string', ), ), ), From 91b5e2e6349c0818eccf911f5aae9c5652848b00 Mon Sep 17 00:00:00 2001 From: Aaron Valandra Date: Wed, 2 Dec 2015 09:00:24 -0600 Subject: [PATCH 2/4] Updated documentation as requested by @stof and @xabbuh --- cookbook/security/csrf_in_login_form.rst | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/cookbook/security/csrf_in_login_form.rst b/cookbook/security/csrf_in_login_form.rst index dc40fd8f5f8..4fabb4ecc50 100644 --- a/cookbook/security/csrf_in_login_form.rst +++ b/cookbook/security/csrf_in_login_form.rst @@ -13,10 +13,6 @@ for CSRF. In this article you'll learn how you can use it in your login form. Login CSRF attacks are a bit less well-known. See `Forging Login Requests`_ if you're curious about more details. -.. note:: - - Since SF 2.8 ``intention`` has been depreciated, and removed in SF 3.0. It is now labeled as ``csrf_token_id``. ``csrf_provider`` was changed in SF 3.0 to ``csrf_token_generator``. - Configuring CSRF Protection --------------------------- @@ -37,8 +33,6 @@ provider available in the Security component: # ... form_login: # ... - # Use csrf_provider in SF <2.8 - # csrf_provider: security.csrf.token_manager csrf_token_generator: security.csrf.token_manager .. code-block:: xml @@ -72,8 +66,6 @@ provider available in the Security component: // ... 'form_login' => array( // ... - // Use csrf_provider in SF <2.8 - // 'csrf_provider' => 'security.csrf.token_manager', 'csrf_token_generator' => 'security.csrf.token_manager', ), ), @@ -130,7 +122,7 @@ After this, you have protected your login form against CSRF attacks. .. tip:: You can change the name of the field by setting ``csrf_parameter`` and change - the token ID by setting ``csrf_token_id`` ~~``intention``~~ in your configuration: + the token ID by setting ``csrf_token_id`` in your configuration: .. configuration-block:: @@ -146,7 +138,6 @@ After this, you have protected your login form against CSRF attacks. form_login: # ... csrf_parameter: _csrf_security_token - # intention: a_private_string csrf_token_id: a_private_string .. code-block:: xml @@ -165,7 +156,6 @@ After this, you have protected your login form against CSRF attacks. csrf_token_id="a_private_string" /> @@ -185,11 +175,15 @@ After this, you have protected your login form against CSRF attacks. // ... 'csrf_parameter' => '_csrf_security_token', 'csrf_token_id' => 'a_private_string' - // 'intention' => 'a_private_string', ), ), ), )); +versionadded:: 2.8 + The ``intention`` and ``csrf_token_generator`` options were introduced + in Symfony 2.8. Prior, you had to use the ``csrf_token_id`` and ``csrf_provider`` + options. + .. _`Cross-site request forgery`: https://en.wikipedia.org/wiki/Cross-site_request_forgery .. _`Forging Login Requests`: https://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests From 3ceb61cdfe624c82ca3c3a2cd07c196ace27da4f Mon Sep 17 00:00:00 2001 From: Aaron Valandra Date: Wed, 2 Dec 2015 09:11:56 -0600 Subject: [PATCH 3/4] Improper markdown for versionadded. --- cookbook/security/csrf_in_login_form.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbook/security/csrf_in_login_form.rst b/cookbook/security/csrf_in_login_form.rst index 4fabb4ecc50..203b8d9dd5f 100644 --- a/cookbook/security/csrf_in_login_form.rst +++ b/cookbook/security/csrf_in_login_form.rst @@ -180,7 +180,7 @@ After this, you have protected your login form against CSRF attacks. ), )); -versionadded:: 2.8 +.. versionadded:: 2.8 The ``intention`` and ``csrf_token_generator`` options were introduced in Symfony 2.8. Prior, you had to use the ``csrf_token_id`` and ``csrf_provider`` options. From 304d7a5f052430fbd9b52529cf9f97ebf032b6cd Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Fri, 15 Jan 2016 22:52:28 +0100 Subject: [PATCH 4/4] finish csrf_token_generator and csrf_token_id docs --- book/forms.rst | 10 +++++++--- cookbook/security/csrf_in_login_form.rst | 15 +++++++++------ reference/configuration/security.rst | 15 ++++++++++----- 3 files changed, 26 insertions(+), 14 deletions(-) diff --git a/book/forms.rst b/book/forms.rst index 3d6ef5d6d82..8c43224040d 100644 --- a/book/forms.rst +++ b/book/forms.rst @@ -1809,7 +1809,7 @@ The CSRF token can be customized on a form-by-form basis. For example:: 'csrf_protection' => true, 'csrf_field_name' => '_token', // a unique key to help generate the secret token - 'intention' => 'task_item', + 'csrf_token_id' => 'task_item', )); } @@ -1825,8 +1825,12 @@ section. .. note:: - The ``intention`` option is optional but greatly enhances the security of - the generated token by making it different for each form. + The ``csrf_token_id`` option is optional but greatly enhances the security + of the generated token by making it different for each form. + +.. versionadded:: 2.4 + The ``csrf_token_id`` option was introduced in Symfony 2.4. Prior, you + had to use the ``intention`` option. .. caution:: diff --git a/cookbook/security/csrf_in_login_form.rst b/cookbook/security/csrf_in_login_form.rst index 203b8d9dd5f..c339454ec56 100644 --- a/cookbook/security/csrf_in_login_form.rst +++ b/cookbook/security/csrf_in_login_form.rst @@ -50,7 +50,7 @@ provider available in the Security component: - + @@ -72,6 +72,10 @@ provider available in the Security component: ), )); +.. versionadded:: 2.4 + The ``csrf_token_generator`` option was introduced in Symfony 2.4. Prior, + you had to use the ``csrf_provider`` option. + The Security component can be configured further, but this is all information it needs to be able to use CSRF in the login form. @@ -156,7 +160,7 @@ After this, you have protected your login form against CSRF attacks. @@ -180,10 +184,9 @@ After this, you have protected your login form against CSRF attacks. ), )); -.. versionadded:: 2.8 - The ``intention`` and ``csrf_token_generator`` options were introduced - in Symfony 2.8. Prior, you had to use the ``csrf_token_id`` and ``csrf_provider`` - options. +.. versionadded:: 2.4 + The ``csrf_token_id`` option was introduced in Symfony 2.4. Prior, you + had to use the ``intention`` option. .. _`Cross-site request forgery`: https://en.wikipedia.org/wiki/Cross-site_request_forgery .. _`Forging Login Requests`: https://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests diff --git a/reference/configuration/security.rst b/reference/configuration/security.rst index fcec22c8685..e4f99da35d0 100644 --- a/reference/configuration/security.rst +++ b/reference/configuration/security.rst @@ -17,6 +17,11 @@ Each part will be explained in the next section. Support for restricting security firewalls to specific http methods was introduced in Symfony 2.5. +.. versionadded:: 2.4 + The ``csrf_token_generator`` and ``csrf_token_id`` were introduced in + Symfony 2.4. Prior, you had to use the ``csrf_provider`` and ``intention`` + options. + .. configuration-block:: .. code-block:: yaml @@ -165,9 +170,9 @@ Each part will be explained in the next section. password_parameter: _password # csrf token options - csrf_parameter: _csrf_token - intention: authenticate - csrf_provider: my.csrf_provider.id + csrf_parameter: _csrf_token + csrf_token_id: authenticate + csrf_token_generator: my.csrf_token_generator.id # by default, the login form *must* be a POST, not a GET post_only: true @@ -213,8 +218,8 @@ Each part will be explained in the next section. context: ~ logout: csrf_parameter: _csrf_token - csrf_provider: ~ - intention: logout + csrf_token_generator: ~ + csrf_token_id: logout path: /logout target: / success_handler: ~