CSRF is invalid with Stateless CSRF #59065
Comments
|
Can you please try to create a small app that'd reproduce the issue? |
https://github.com/smbpunt/bug-sf-59065 I versioned the sqlite database and the .env.local.php Just clone/install and submit a form |
|
I didn't reproduce until I compiled assets, submitted them, then removed them. My guess is: you tried in dev, where the JS assets are auto-compiled. Then you turned prod mode, and it failed. The reason is that the session kept track of the JS submission and now requires the JS to be loaded as an additional protection. And the fix is on your side: run This is suboptimal, but running this command is mandatory to get assets ready for prod mode. |
|
Moved to a more generic RFC: #59072 |
|
@nicolas-grekas I had the same issue yesterday, but here we use Encore instead of Asset Mapper. |
|
The reason should be the same. |
|
Hello, I think there's something to look into. Indeed, on the test I provided, if you compile the assets, it seems to work... Is it possible that this is linked to a web server configuration? |
|
Are you behind a reverse proxy? If yes, ensure you configured trusted proxy headers. |
It's now working. Thanks ! |
|
for information : how to configure HAproxy or Nginx ? |
|
Read the doc ? |
|
Alas, read the doc isn't so simple. I focus mostly on the application, our dev-ops contractor who helps manage the dokku instance on hetzner isn't available now. I know we use CloudFront, but I don't know if it's a reverse proxy. I see this, so I added the ips
framework:
trusted_proxies: '127.0.0.1,5.161.107.103,5.161.112.3,REMOTE_ADDR'
http_method_override: false
handle_all_throwables: true
secret: '%env(APP_SECRET)%'
csrf_protection: trueIn short, this used to work with 7.1, and doesn't with 7.2, and I've read and re-read the docs, and this excellent article https://jolicode.com/blog/symfony-reverse-proxies-and-ip-protection and I'm feeling out of my league. Are you saying that I need to reorder when the assetmap:compile command happens? Currently it's loaded in the Procfile, common for heroku-ish deployments. Any suggestions? Of course, it's particularly difficult to test as I hack something in and have to push it to the production site to see if it's working. |
REMOTE_ADDR should be listed only if you're sure your dokku instance is not available without getting through cloudfront Alternatively, there full list is at https://ip-ranges.amazonaws.com/ip-ranges.json (All this is in the doc ;) ) Then, you need to configure the trusted headers. Not sure which headers cloudfront uses, but you should be able to know by inspecting requests as seen by the app. |
|
Oh, and you can still not opt-in for the stateless CSRF if you really cannot configure trusted proxies. |
Hello, I installed the application (which worked) on another server. This other server uses the same HA Proxy (and the same HA Proxy configuration). We're looking into it (which could be the server's configuration? php packages ? web server configuration ?), but if you have any leads, I'd love to hear it. Edit: Okay, we've found the problem. |
Uh oh!
There was an error while loading. Please reload this page.
Symfony version(s) affected
7.2.0
Description
Hi,
After upgrading from Symfony 7.1.6 to 7.2.0 and updating the associated recipes, I encountered a bug when submitting forms: "CSRF token is invalid".
Key Details:
Also, I created a fresh Symfony webapp with a simple CRUD setup. The same issue occurred.
How to reproduce
https://github.com/smbpunt/bug-sf-59065
It's a simple new “webapp” with an entity and an associated crud (all generated via maker-bundle).
/newPossible Solution
The only working solution/workaround was to comment out the
statelessconfiguration incsrf.yaml:Additional Context
No response
The text was updated successfully, but these errors were encountered: