From d6cfb3699eb034cfa733639529a4bd27c12a4227 Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Tue, 20 Oct 2015 22:02:36 +0200 Subject: [PATCH 1/5] document old way of checking validity of CSRF token --- book/controller.rst | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/book/controller.rst b/book/controller.rst index 1d15b914d7b..f95969001f8 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -794,6 +794,22 @@ Just like when creating a controller for a route, the order of the arguments of order of the arguments, Symfony will still pass the correct value to each variable. +Checking the Validity of a CSRF Token +------------------------------------- + +Sometimes you want to use CSRF protection in an action where you don't want to use a +Symfony form. + +If, for example, you're doing a DELETE action, you can use the +:method:`Symfony\\Component\\Form\\Extension\\Csrf\\CsrfProvider\\CsrfProviderAdapter::isTokenValid` +method to check the CSRF token:: + + use Symfony\Component\Security\Csrf\CsrfToken; + + $this->get('security.csrf.token_manager')->isTokenValid( + new CsrfToken('token_id', 'TOKEN') + ); + Final Thoughts -------------- From eda73326989fa0897eb88dd0d501cbfb34829771 Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Thu, 22 Oct 2015 19:36:34 +0200 Subject: [PATCH 2/5] fix code example --- book/controller.rst | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/book/controller.rst b/book/controller.rst index f95969001f8..b4c29fcf36a 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -801,14 +801,11 @@ Sometimes you want to use CSRF protection in an action where you don't want to u Symfony form. If, for example, you're doing a DELETE action, you can use the -:method:`Symfony\\Component\\Form\\Extension\\Csrf\\CsrfProvider\\CsrfProviderAdapter::isTokenValid` +:method:`Symfony\\Component\\Form\\Extension\\Csrf\\CsrfProvider\\DefaultCsrfProvider::isCsrfTokenValid` method to check the CSRF token:: - use Symfony\Component\Security\Csrf\CsrfToken; - - $this->get('security.csrf.token_manager')->isTokenValid( - new CsrfToken('token_id', 'TOKEN') - ); + $csrf = $this->container->get('form.csrf_provider'); + $csrf->isCsrfTokenValid('authenticate', new CsrfToken('token_id', 'TOKEN')); Final Thoughts -------------- From 73209d05ff21c223374a21668a40492fa591db1f Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Thu, 22 Oct 2015 19:44:00 +0200 Subject: [PATCH 3/5] use generateCsrfToken() --- book/controller.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/book/controller.rst b/book/controller.rst index b4c29fcf36a..b03ca33d099 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -805,7 +805,10 @@ If, for example, you're doing a DELETE action, you can use the method to check the CSRF token:: $csrf = $this->container->get('form.csrf_provider'); - $csrf->isCsrfTokenValid('authenticate', new CsrfToken('token_id', 'TOKEN')); + $intention = 'authenticate'; + $token = $csrf->generateCsrfToken($intention); + + $csrf->isCsrfTokenValid($intention, $token); Final Thoughts -------------- From 7b574210b3c61d58f736993bd46ebb9d7ae95827 Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Tue, 1 Dec 2015 13:10:20 +0100 Subject: [PATCH 4/5] link to interface --- book/controller.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/controller.rst b/book/controller.rst index b03ca33d099..f67a929c330 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -801,7 +801,7 @@ Sometimes you want to use CSRF protection in an action where you don't want to u Symfony form. If, for example, you're doing a DELETE action, you can use the -:method:`Symfony\\Component\\Form\\Extension\\Csrf\\CsrfProvider\\DefaultCsrfProvider::isCsrfTokenValid` +:method:`Symfony\\Component\\Form\\Extension\\Csrf\\CsrfProvider\\CsrfProviderInterface::isCsrfTokenValid` method to check the CSRF token:: $csrf = $this->container->get('form.csrf_provider'); From fb1c73de1c79187c471abaa8b9e19603092de808 Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Tue, 15 Dec 2015 19:48:07 +0100 Subject: [PATCH 5/5] more realistic example --- book/controller.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/book/controller.rst b/book/controller.rst index f67a929c330..70a72db5fb2 100644 --- a/book/controller.rst +++ b/book/controller.rst @@ -808,7 +808,9 @@ method to check the CSRF token:: $intention = 'authenticate'; $token = $csrf->generateCsrfToken($intention); - $csrf->isCsrfTokenValid($intention, $token); + if (!$csrf->isCsrfTokenValid($intention, $token)) { + // CSRF token invalid! Do something, like redirect with an error. + } Final Thoughts -------------- pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy