Can anyone tell me where/how to customise the CSRF token error message for forms in Symfony 1.4. I'm using sfDoctrineGuard for logins and in this form particularly, whenever a session runs out and you still have the page open, it throws a very user-unfriendly error: "CSRF attack detected". Something like "This session has expired. Please return to the home page and try again" sounds better.
What's the right way to do this in the form class?
Thanks.
Are you trying to log in and are receiving a “Forbidden (403) CSRF verification failed.” message? What is happening is that our site's securities are in conflict with an autofill-enabled configuration in your browser. To fix, you can: Disable autofill, allow cookies, and clear your cache.
Invalid or missing CSRF token This error message means that your browser couldn't create a secure cookie, or couldn't access that cookie to authorize your login. This can be caused by ad- or script-blocking plugins, but also by the browser itself if it's not allowed to set cookies.
CSRF protection works by adding a hidden field to your form - called _token by default - that contains a value that only you and your user knows. This ensures that the user - not some other entity - is submitting the given data. Symfony automatically validates the presence and accuracy of this token.
CSRF - or Cross-site request forgery - is a method by which a malicious user attempts to make your legitimate users unknowingly submit data that they don't intend to submit. CSRF protection works by adding a hidden field to your form that contains a value that only you and your user know.
The only way seems to be to overwrite sfForm::addCSRFProtection()
.
In /lib/form/BaseForm.class.php
you can add this piece of code:
class BaseForm extends sfFormSymfony
{
public function addCSRFProtection($secret = null)
{
parent::addCSRFProtection($secret);
if (array_key_exists(self::$CSRFFieldName, $this->getValidatorSchema())) {
$this->getValidator(self::$CSRFFieldName)->setMessage('csrf_attack', 'This session has expired. Please return to the home page and try again.');
}
}
}
After calling the parent method, you retrieve the validator associated with the CSRF field and change the message for the code csrf_attack
.
Edit: You also need to check whether or not the validator exists. Some forms might have their CSRF protection disabled!
Hope this helps!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With