Menu
I have created a Symfony2 form and bound it to the Request. I need to explicitly ensure whether the CSRF token is valid/invalid before proceeding with the rest of the form.
$form['_token']->isValid() throws OutOfBoundsException with message "Child _token does not exist."
I can still verify that the rendered form contains _token field. In case that CSRF value is invalid, $form->isValid() returns false.
What am I missing here?
Update 1:
Controller (partial):
private function buildTestForm() {
$form = $this->createFormBuilder()
->add('name','text')
->getForm();
return $form;
}
/**
* @Route("/test/show_form", name="test.form.show")
* @Method("GET")
*/
public function showFormTest()
{
$form = $this->buildTestForm();
return $this->render('TestBundle::form_test.html.twig', array('form' => $form->createView()));
}
/**
* @Route("/test/submit_form", name="test.form.submit")
* @Method("POST")
*/
public function formTest()
{
$form = $this->buildTestForm();
$form->bind($this->getRequest());
if ($form['_token']->isValid()) {
return new Response('_token is valid');
} else {
return new Response('_token is invalid');
}
}
Template
{# Twig template #}
<form action="{{ path('test.form.submit') }}" method="post" {{ form_enctype(form) }}>
{{ form_widget(form) }}
<input type="submit" name="go" value="Test Form" />
</form>
757
A couple of ways you can test it: Open the developer tools in your browser find the input element for the CSRF token and edit the token value. Trigger a POST submission. This should cause an error, HTTP status 403 typically.
In addition to this, the CSRF token should be stored on the server-side application, which verifies every request that requires validation. The server-side application should ensure that valid requests include a token matching the value stored during the user's active session.
Another way (if you prefer DI) to validate token outside of controller (e.g. in listener):
/** @var Symfony\Component\Security\Csrf\CsrfTokenManagerInterface */
private $csrfTokenManager;
public function __construct(CsrfTokenManagerInterface $csrfTokenManager)
{
$this->csrfTokenManager = $csrfTokenManager;
}
public function isValid(): bool
{
return $this->csrfTokenManager->isTokenValid(
new CsrfToken('authenticate', $request->getRequest()->headers->get('X-CSRF-TOKEN'))
);
}
In addition to artworkad, you can specify an intention:
Twig:
<form method="post">
<input type="text" name="form_name[field]" value="" />
<input type="hidden" name="_csrf_token" value="{{ csrf_token('form_name') }}">
</form>
PHP:
$token = $request->request->get('_csrf_token');
$csrf_token = new CsrfToken('form_name', $token);
var_dump($this->get('security.csrf.token_manager')->isTokenValid($csrf_token));
Or not:
Twig:
<form method="post">
<input type="text" name="field" value="" />
<input type="hidden" name="_csrf_token" value="{{ csrf_token('') }}">
</form>
PHP:
$token = $request->request->get('_csrf_token');
$csrf_token = new CsrfToken('', $token);
var_dump($this->get('security.csrf.token_manager')->isTokenValid($csrf_token));
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
