0

Obviously, I would like to enforce to set CSRF token in login form. Suppose that I don't add CSRF token in the login form and I've submitted the form. At this point, my request is, the response must be returned as denied so that I didn't add CSRF token.

How can I do this, or Can I do this?

Improve this question
3
  • Do you have a LoginFormAuthenticator in your source code? You can check if the CSRF is valid in the authenticator class. Commented Feb 19, 2019 at 10:56
  • Actually, I wanted to ask whether there an anotation to check CSRF like "@Route". Already, there is a way to check CSRF in controller like AuthenticationUtils. But, I don't know it, because it is not practical. I want to add CSRF checker to more than one controller which manages post forms. I don't know, did you understand me? Commented Feb 19, 2019 at 13:11
  • I'm not aware of any annotation that can do what you ask. In your case I would use an authenticator to intercept your form submissions and validate your csrf tokens. Take a look at this doc symfony.com/doc/current/security/form_login_setup.html Commented Feb 19, 2019 at 13:31

2 Answers 2

Reset to default
2

Sure you can. You need simply create and output CSRF token:

<input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}">

Normally that's all you need because https://github.com/symfony/security/blob/master/Http/Firewall/SimpleFormAuthenticationListener.php#L59-L60 checks the token automatically. You need to put exactly _csrf_token as field name and authenticate as token name.

You cas presonalize it if you want in:

# app/config/security.yml
security:
    # ...

    firewalls:
        secured_area:
            # ...
            form_login:
                # ...
                csrf_parameter: YOUR_csrf_token
                csrf_token_id: YOUR_authenticate

Watch out! This form login listener is deprecated since 4.2. Here is the example with gurad https://symfony.com/doc/current/security/form_login_setup that is recommended to use.

Cheers !

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You can inject the CsrfTokenManagerInterface in your Controller and use it in your login method as in the following example:

SecurityController.php

class SecurityController extends Controller
{

    /** @var CsrfTokenManagerInterface */
    private $tokenManager;

    public function __construct(CsrfTokenManagerInterface $tokenManager = null)
    {
        $this->tokenManager = $tokenManager;
    }

    /**
    * @Route("/login", name="login")
    *
    * @param Request $request
    */
    public function login(Request $request)
    {
        // Get the login error if exists
        $error = $this->get('security.authentication_utils')->getLastAuthenticationError();

        // Last username entered by user
        $lastUsername = $this->get('security.authentication_utils')->getLastUsername();

        $csrfToken = $this->tokenManager
            ? $this->tokenManager->getToken('authenticate')->getValue()
            : null;

        if (null === $csrfToken) {
            //your exception
        }

        return $this->renderLogin([
            'last_username' => $lastUsername,
            'error' => $error,
            'csrf_token' => $csrfToken
        ]);
    }
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.