Twig function csrf_token('authenticate') returns 'csrf_token' #59111
Comments
|
By default, the new CSRF system is stateless since 7.2. That’s not a bug @cavias |
@Crovitche-1623 the word stateless is not mentioned in neither Security login nor CSRF documentation, so I am failing to understand why this is relevant or what implications it has for this usecase? See https://symfony.com/doc/current/security.html#form-login |
|
@cavias You are right the documentation is not updated yet (see symfony/symfony-docs#20306) but it's already enabled (see https://symfony.com/blog/new-in-symfony-7-2-stateless-csrf). See in this section, the |
|
As you probably installed Symfony 7.2, you also got the following recipe : symfony/recipes#1337 |
|
@cavias I tried to reproduce it on a fresh 7.2 simple project with a protected page and login form and the login worked with the stateless csrf with string "csrf-token" |
|
@Crovitche-1623 Thank you, that at least gives me some pointers as to what is going on. Disabling stateless_token_ids seems to "fix" it for now, but of course I'd like to get this working in the future. I see there is also a Stimulus csrf controller provided which I assume is relevant somehow. Once documentation is released on how to actually use this I will re-enable it. The app won't be live for a few months anyways, and I am getting a bit tired of all the github deep-diving I have to do to get things working. I will close this issue. |
|
The behavior you describe is correct and expected. The stateless CSRF protection that you enabled by adopting the recipe update leads to these not-random tokens. |
All I'm getting when trying to login is the error message "CSRF token invalid". I should have specified that, my apologies. I'm assuming the Stimulus csrf controller is supposed to do something here, but which data attributes with which data it needs, I do not know. |
|
You probably need to set a |
|
Oh, this might be something to add to the doc, right? PR welcome! |
|
@nicolas-grekas also to the |
|
Definitely
Le sam. 7 déc. 2024 à 15:35, Thibault G. ***@***.***> a
écrit :
… @nicolas-grekas <https://github.com/nicolas-grekas> also to the
make:security:form-login command no ?
—
Reply to this email directly, view it on GitHub
<#59111 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAB3PWRKLDBBMOQIDF26O6T2EMBUZAVCNFSM6AAAAABTFHMZD2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMRVGE4TANRQG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
The issue described above has been fixed in version 7.2.1. This is my assumption. |
|
It seems to me that with stateless enabled and without the csrf-protection controller we'll be left without a token based CSRF check completely? |
|
|
|
See symfony/recipes#1373 and linked issues |
…colas-grekas) This PR was merged into the 6.4 branch. Discussion ---------- Add data-controller="csrf-protection" to CSRF fields Submitting on 6.4 so that the resulting apps can more easily be updated to 7.2 See symfony/symfony#59111 Commits ------- e818e12 Add data-controller="csrf-protection" to CSRF fields
|
Hello! I was directed here from discussion #59382 I created. I still cannot fix it for my setup ( <input type="hidden" name="_csrf_token"
data-controller="csrf-protection"
value="csrf_token"
>Any ideas appreciated. // CC @nicolas-grekas |
|
If you cannot make it work, remove the csrf.yaml file brought by the recipe to revert back to previous behavior. |
|
I'm just seeing 'csrf-token' in the value field. No Javascript, no cookies, no headers being sent. Request comes through "OK". I had to delete the config; to make CSRF actually work (so there are now random values in the field, making it stateful again). With this setup (as described by this blog post), it seems to work, but all request work, making this seemingly CSRF protection, useless. |
|
@RobQuistNL You don't see any value because that's the point of the CSRF stateless check ! It's done using cookies and not a form value. |
|
@Crovitche-1623 What cookie would that be? I see no cookies being sent in the request. I see these 2; If I edit both and submit the form, it succeeds and no CSRF error is reported. |
|
@RobQuistNL Add the mandatory data-controller on your CSRF input then. See: |
|
@Crovitche-1623 that wasn't there indeed. I've added it, but its still simply accepting the request. FYI: there is 0 javascript in the webpage. Should the be more stuff added? I'd think it would be a local piece of javascript code. But how does that work for people that have JS disabled? |
|
Please note that all the paged so far have been generated using I don't know exactly when the input field was added to the twig template, but it didn't add the |
|
Also the registration form as generated by; just shows this; <form name="registration_form" method="post">
<div>(... just the form elements ...)</div>
<button type="submit" class="btn">Sign up</button>
<input type="hidden" id="registration_form__token" name="registration_form[_token]" data-controller="csrf-protection" value="csrf-token" /></form>and it doesn't matter if I remove / edit cookies and submit. It just succeeds. |
|
If I however change the value |
Symfony now enables Turbo UX by default, you will need to activate the AssetMapper |
Symfony version(s) affected
7.2.0
Description
I am building a login form according to instructions here https://symfony.com/doc/current/security.html#form-login
When I make the following code:
<input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}">The function
csrf_token('authenticate')generates thes tringcsrf_tokeninstead of an actual token. Making my login not work.By comparison, executing
csrf_token('randomstring')does generate a valid token.What is happening here?
How to reproduce
Seems to be as simple as doing
csrf_token('authenticate')in Twig.Possible Solution
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: