CSRF: Generated HTML value is `"csrf_token"` in Dev #59382

Menelion · 2025-01-07T00:45:28Z

Menelion
Jan 7, 2025

Folks, I'm developing a Symfony 7.2 app and I'm having a stupid error. I definitely missed something but I don't know what.
When I try to log in (I use slightly tweaked output of make:security:login-form), it says "Invalid CSRF token". and of course it is invalid, because HTML field generated by Twig looks like this:

<input type="hidden" name="_csrf_token"
value="csrf-token"
        >

So, the value of the token is, well, csrf-token. Although Twig is correct:

        <input type="hidden" name="_csrf_token"
               value="{{ csrf_token('authenticate') }}"
        >

Here is the firewall:

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            lazy: true
            provider: app_user_provider
            form_login:
                login_path: app_login
                check_path: app_login
                enable_csrf: true
            logout:
                path: app_logout
                target: /

It's a Windows machine, environment is Dev, debug is on.
Any ideas are hugely appreciated.

Answered by Menelion

Jan 7, 2025

Thank you @MatTheCat, solution found.
Here are the steps:

Make sure StimulusBundle is installed and enabled.
Make sure csrf.yaml is present.
In the login.twig.html template replace the CSRF token input with the following:

        <input type="hidden" name="_csrf_token"
        data-controller="csrf-protection"
        value="csrf_token"
        >

Note! You have to clear the cache afterwards (at least, I had to): ./bin/console cache:clear.
Enjoy!

View full answer

MatTheCat · 2025-01-07T08:37:36Z

MatTheCat
Jan 7, 2025

7.2 recipes configure some stateless CSRF token IDs like authenticate.

The StimulusBundle’s recipe has been updated as well to generate the token client-side, but if you’re not using it you have two options:

unconfigure stateless token IDs
implement the token generation and cookie creation yourself

0 replies

Menelion · 2025-01-07T13:26:26Z

Menelion
Jan 7, 2025
Author

Sorry @MatTheCat, but I still don't understand. I have no such things in the configuration, so should I add it manually? In my framework node I have:

framework:
    secret: '%env(APP_SECRET)%'
    session: true

    #esi: true
    #fragments: true

when@test:
    framework:
        test: true
        session:
            storage_factory_id: session.storage.factory.mock_file

So nothing related to CSRF in the Framework node. Should I re-add it or?.. It's a clear new 7.2 installation, so I'm confused.

1 reply

MatTheCat Jan 7, 2025

The corresponding config got moved in csrf.yaml by symfony/recipes#1361 so you should find this one?

Menelion · 2025-01-07T13:33:09Z

Menelion
Jan 7, 2025
Author

Yepp, csrf.yaml is like this:

framework:
    form:
        csrf_protection:
            token_id: submit

    csrf_protection:
        stateless_token_ids:
            - submit
            - authenticate
            - logout

So what am I missing here? Here's the login template:

{% extends 'base.html.twig' %}

{% block title %}Please Sign In{% endblock %}

{% block content %}
    <form method="post">
        {% if error %}
            <div class="alert alert-danger">{{ error.messageKey|trans(error.messageData, 'security') }}</div>
        {% endif %}

        {% if app.user %}
            <div class="mb-3" role="contentinfo">
                You are logged in as {{ app.user.displayName}}, <a href="{{ path('app_logout') }}">Logout</a>
            </div>
        {% endif %}

        <h1 class="h3 mb-3 font-weight-normal">Please sign in</h1>
        <label for="username">Username</label>
        <input type="text" value="{{ last_username }}" name="_username" id="username" class="form-control" autocomplete="username" required autofocus>
        <label for="password">Password</label>
        <input type="password" name="_password" id="password" class="form-control" autocomplete="current-password" required>

        <input type="hidden" name="_csrf_token"
               value="{{ csrf_token('authenticate') }}"
        >

        <button class="btn btn-default" type="submit">
            Sign in
        </button>
    </form>
{% endblock %}

4 replies

MatTheCat Jan 7, 2025

The new csrf.yaml config enables stateless CSRF protection for tokens whose ID is submit, authenticate or logout, which means those tokens must be generated client-side.

So you have two choices: either you implement this client-side part (with the StimulusBundle or yourself), or you remove the stateless_token_ids configuration so that all tokens are generated by Symfony and stored in the session.

(Please use “Write a reply” instead of “Suggest an answer” when you are replying: that makes conversation more easy to follow!)

Menelion Jan 7, 2025
Author

Oh, sorry for hijacking the discussion and writing comments in the wrong place, my bad.
I'm really new to Stimulus. I have it installed, the CSRF protection controller is here. So, am I right that I just need to add data-controller="csrf_protection" on the… what, <form> itself? Also, if I want to improve this flow for everyone, would I add this thing to the login.html.twig in make:security:form-login flow? I really want to resolve the problem for myself and then to help everyone.

MatTheCat Jan 7, 2025

Oh, sorry for hijacking the discussion and writing comments in the wrong place, my bad.

No problem, it’s just good to know when many people are involved ^^

am I right that I just need to add data-controller="csrf_protection" on the… what, <form> itself?

You’re half-right: this attribute must be added on the CSRF token field! If Stimulus is working then that should be all indeed.

I really want to resolve the problem for myself and then to help everyone.

I understand how you feel and you’re not the only one (see #59111 e.g.). An issue is still open for documenting this feature: symfony/symfony-docs#20306 you may want to contribute.

Menelion Jan 7, 2025
Author

Still cannot fix it, commented in #59111 . Now I have:

        <input type="hidden" name="_csrf_token"
        data-controller="csrf-protection"
        value="csrf_token"
        >

Stimulus bundle is there, but for some reason no assets are put into the public folder by make:assets-install public command.

Menelion · 2025-01-07T16:36:55Z

Menelion
Jan 7, 2025
Author

Thank you @MatTheCat, solution found.
Here are the steps:

Make sure StimulusBundle is installed and enabled.
Make sure csrf.yaml is present.
In the login.twig.html template replace the CSRF token input with the following:

        <input type="hidden" name="_csrf_token"
        data-controller="csrf-protection"
        value="csrf_token"
        >

Note! You have to clear the cache afterwards (at least, I had to): ./bin/console cache:clear.
Enjoy!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CSRF: Generated HTML value is `"csrf_token"` in Dev #59382

{{title}}

Replies: 4 comments 5 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

CSRF: Generated HTML value is "csrf_token" in Dev #59382

Menelion Jan 7, 2025

Replies: 4 comments · 5 replies

MatTheCat Jan 7, 2025

Menelion Jan 7, 2025 Author

MatTheCat Jan 7, 2025

Menelion Jan 7, 2025 Author

MatTheCat Jan 7, 2025

Menelion Jan 7, 2025 Author

MatTheCat Jan 7, 2025

Menelion Jan 7, 2025 Author

Menelion Jan 7, 2025 Author

CSRF: Generated HTML value is `"csrf_token"` in Dev #59382

Menelion
Jan 7, 2025

Replies: 4 comments 5 replies

MatTheCat
Jan 7, 2025

Menelion
Jan 7, 2025
Author

Menelion
Jan 7, 2025
Author

Menelion Jan 7, 2025
Author

Menelion Jan 7, 2025
Author

Menelion
Jan 7, 2025
Author