Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Symfony CSRF and Ajax

Tags:

ajax

csrf

symfony

I am trying to implement some ajax functionality in my Symfony 2 project. Using jquery's $.post I want to send some data back to my controller. However, when I just POST the data no CSRF protection is in place, as symfony's csrf protection only seems to apply to forms.

What would be a pretty straightforward way to implement this?

When using forms I can just do $form->isValid() to find out whether or not the CSRF token passes. I am currently placing everything I want to POST in a form and then posting that. Which basically means I am only using that form to implement CSRF protection, which seems hacky.

like image 835
peterrus Avatar asked Aug 21 '12 12:08

peterrus


2 Answers

In Symfony2 CSRF token is based on session by default. If you want to generate it, you just have to get this service and call generation method:

//Symfony\Component\Form\Extension\Csrf\CsrfProvider\SessionCsrfProvider by default $csrf = $this->get('form.csrf_provider'); //Intention should be empty string, if you did not define it in parameters $token = $csrf->generateCsrfToken($intention);   return new Response($token); 

This question might be useful for you

like image 91
Vitalii Zurian Avatar answered Sep 19 '22 05:09

Vitalii Zurian


I had this problem, intermittently. Turned out it was not due to my ajax, but because Silex gives you a deprecated DefaultCsrfProvider which uses the session ID itself as part of the token, and I change the ID randomly for security. Instead, explicitly telling it to use the new CsrfTokenManager fixes it, since that one generates a token and stores it in the session, such that the session ID can change without affecting the validity of the token.

/** Use a CSRF provider that does not depend on the session ID being constant. We change the session ID randomly */
$app['form.csrf_provider'] = $app->share(function ($app) {
    $storage = new Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage($app['session']);
    return new Symfony\Component\Security\Csrf\CsrfTokenManager(null, $storage);
});
like image 25
Josh Ribakoff Avatar answered Sep 23 '22 05:09

Josh Ribakoff