Skip to content

[Form] Rename CSRF token field from _token to _csrf_token #60534

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ThomasLandauer opened this issue May 24, 2025 · 3 comments
Closed

[Form] Rename CSRF token field from _token to _csrf_token #60534

ThomasLandauer opened this issue May 24, 2025 · 3 comments
Labels
Form

Comments

@ThomasLandauer
Copy link
Contributor

ThomasLandauer commented May 24, 2025
edited
Loading

Description

I'm suggesting to change the default name of the automatically generated CSRF token form field from _token to _csrf_token.
I think it's happening at https://github.com/symfony/symfony/blob/7.3/src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php#L35

Oddly enough, the docs at https://symfony.com/doc/current/security/csrf.html#csrf-protection-in-symfony-forms are falsely claiming that it is called _csrf_token. But instead of changing the docs, I'm suggesting to change the feature, cause _csrf_token is certainly a better name.

Example

No response
@carsonbot carsonbot added the Form label May 24, 2025
@nicolas-grekas
Copy link
Member

nicolas-grekas commented May 25, 2025
edited
Loading

Works for me: the CSRF field in the Security component is also named _csrf_token
and https://github.com/symfony/recipes/blob/main/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js has a rule for _csrf_token, not _token (even if changing the name isn't strictly required since the data attribute is enough.

Up for a PR?

@ThomasLandauer
Copy link
Contributor Author

Up for a PR?

Well, "with a little help from my friends"... :-)
On the 7.3 branch?

@nicolas-grekas
Copy link
Member

Let's go with branch 7.3 yes

ThomasLandauer added a commit to ThomasLandauer/symfony that referenced this issue May 25, 2025
@ThomasLandauer
[Form] Changing CSRF token default name symfony#60534
8facc67
@ThomasLandauer ThomasLandauer mentioned this issue May 25, 2025
Closed
@yceruto yceruto closed this as not planned Won't fix, can't repro, duplicate, stale May 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Form
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Form] Changing CSRF token default name ThomasLandauer/symfony
4 participants
@nicolas-grekas @ThomasLandauer @yceruto @carsonbot