Skip to content

[Security] Stateless CSRF is enabled by default in 7.2 #20994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 27, 2025
Merged

[Security] Stateless CSRF is enabled by default in 7.2 #20994

merged 1 commit into from
May 27, 2025

Conversation

ThomasLandauer
Copy link
Contributor

@ThomasLandauer ThomasLandauer mentioned this pull request May 25, 2025
Closed
@javiereguiluz javiereguiluz added this to the 7.2 milestone May 27, 2025
@javiereguiluz javiereguiluz merged commit 0e258f7 into symfony:7.2 May 27, 2025
3 checks passed
@javiereguiluz
Copy link
Member

javiereguiluz commented May 27, 2025
edited
Loading

Thanks Thomas!

We tweaked this a bit to remove the "set as default" mention from the versionadded directive. These directives should only contain the usual "XXX feature was introduced in Symfony YYY" because we delete them in new major Symfony versions and we don't want to lose any important information. Thanks!

@wouterj
Copy link
Member

wouterj commented May 27, 2025
edited
Loading

I don't think this change is correct. By default, CSRF is stateful. It's only stateless when configuring the token id as stateless using stateless_token_ids. This is precisely what is documented in the next sentence and example from the one edited here.

@ThomasLandauer
Copy link
Contributor Author

@wouterj Isn't that what the recipe is doing (see link above)?

@ThomasLandauer ThomasLandauer deleted the patch-22 branch May 27, 2025 10:19
@nicolas-grekas
Copy link
Member

This should be reverted indeed. The doc is not about what recipes do, but about what can be done (with or without recipes)

@javiereguiluz
Copy link
Member

While merging I added this:

Stateless CSRF tokens are enabled by default in applications using :ref:`Symfony Flex <symfony-flex>`.

Is this OK, or should we still revert this merge?

@nicolas-grekas
Copy link
Member

.. versionadded:: 7.2

Stateless anti-CSRF protection was introduced in Symfony 7.2.

Traditionally, CSRF tokens are stateful, meaning they're stored in the session.
However, some token IDs can be declared as stateless using the
stateless_token_ids option. Stateless CSRF tokens are enabled by default
in applications using :ref:Symfony Flex <symfony-flex>.

works for me, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Security Status: Reviewed
Projects
None yet
Milestone
7.2
Development

Successfully merging this pull request may close these issues.
5 participants
@ThomasLandauer @javiereguiluz @wouterj @nicolas-grekas @carsonbot