Adding CSRF token#16973
Conversation
| because all users will receive a session cookie. In order to prevent that, you | ||
| must *completely* avoid accessing the session. | ||
| By default, every Symfony form starts a session to store a CSRF token. To disable | ||
| this, see :doc:`CSRF Protection </security/csrf>`. |
There was a problem hiding this comment.
To disable sessions in form contexts one should use the form config instead.
Now I'm realizing that there is no mention to that config anywhere in the docs (https://github.com/symfony/symfony/blob/4.4/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php#L163).
There was a problem hiding this comment.
What I tried to add was just a "reverse" link for what is said on https://symfony.com/doc/current/security/csrf.html:
That's why a session is started automatically as soon as you render a form with CSRF protection.
So in which file is form config happening? Or do you mean csrf_protection in framework config?: https://symfony.com/doc/current/reference/configuration/framework.html#csrf-protection
There was a problem hiding this comment.
There are two available config for csrf, the one you referring to, enabling it globally at the framework level:
// config/packages/framework.yaml
framework:
csrf_protection: true/falseAnd the one I'm referring to (which does not seem documented and that I linked above), to enable it at the form level only:
// config/packages/form.yaml
framework:
form:
csrf_protection: true/falseThere was a problem hiding this comment.
Sorry, I don't fully understand the source code :-(
The best page to document this would probably be https://symfony.com/doc/current/forms.html - since it's probably not worth an own page?!
But some other questions first:
What happens if csrf_protection is true in one, and false in the other file?
What else can be configured in form.yaml?
What's the purpose of form.yaml at all? Is there any advantage over doing it in framework.yaml? Both ways are for users of the full framework only, right?
There was a problem hiding this comment.
What happens if
csrf_protectionis true in one, and false in the other file?
framework.csrf_protection defines the default value of framework.form.csrf_protection (see the comment in the link from my previous comment).
So defining the global as true defines the form protection as true, then switching the form one to false would be my approach in the current PR context.
In the other hand, defining the global as false would make the form protection disabled, then trying to enable it at the form level wouldn't work as expected (however I have not tested if it throws a clear exception or if it just fails silently).
What else can be configured in
form.yaml?
The best documentation is your console ;), using:
bin/console config:dump framework
# or
bin/console config:dump framework form
bin/console config:dump framework csrf_protectionWhat's the purpose of
form.yamlat all?
Same as mailer.yaml or any other component configured by the FrameworkBundle (i.e serializer, messenger, lock, ...) to avoid having hundred of lines in framework.yaml.
But feel free to decide to add this file or not by inlining this config directly in framework.yaml :).
Both ways are for users of the full framework only, right?
Right :)
There was a problem hiding this comment.
Unable to find node at path "framework.csrf".
Sorry it's bin/console config:dump framework csrf_protection 🤦 (I've edited my comment).
In the other hand, defining the global as false would make the form protection disabled, then trying to enable it at the form level wouldn't work as expected (however I have not tested if it throws a clear exception or if it just fails silently).
So, I've just tested:
# config/packages/framework.yaml
framework:
csrf_protection: false
form:
csrf_protection: trueand I got the following:
The service "form.type_extension.csrf" has a dependency on a non-existent service "security.csrf.token_manager".
There was a problem hiding this comment.
I've opened symfony/symfony#46960 to try to improve this.
There was a problem hiding this comment.
OK, but still: If you do it the other way around:
# config/packages/framework.yaml
framework:
csrf_protection: true
form:
csrf_protection: false... where will CSRF be enabled then?
There was a problem hiding this comment.
The framework is using the global config to wire services symfony/security-csrf component, they can be used elsewhere, not only forms, and can rely on other implementations not using a session (i.e. a specific cookie).
There was a problem hiding this comment.
Sorry, I don't have a clear enough picture to suggest something. Maybe somebody else has an idea - ping @javiereguiluz
…CSRF (HeahDude) This PR was merged into the 4.4 branch. Discussion ---------- [FrameworkBundle] Fail gracefully when forms use disabled CSRF | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | kind of | New feature? | no | Deprecations? | no | Tickets | ~ | License | MIT | Doc PR | ~ Relates to symfony/symfony-docs#16973. Currently with the following config in Symfony demo: ```yaml # config/packages/framework.yaml framework: csrf_protection: false form: csrf_protection: true ``` we get: >The service "form.type_extension.csrf" has a dependency on a non-existent service "security.csrf.token_manager". We should consider this PR as a bug fix to make this exception actionable. Commits ------- 5990182 [FrameworkBundle] Fail gracefully when forms use disabled CSRF
…CSRF (HeahDude) This PR was merged into the 4.4 branch. Discussion ---------- [FrameworkBundle] Fail gracefully when forms use disabled CSRF | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | kind of | New feature? | no | Deprecations? | no | Tickets | ~ | License | MIT | Doc PR | ~ Relates to symfony/symfony-docs#16973. Currently with the following config in Symfony demo: ```yaml # config/packages/framework.yaml framework: csrf_protection: false form: csrf_protection: true ``` we get: >The service "form.type_extension.csrf" has a dependency on a non-existent service "security.csrf.token_manager". We should consider this PR as a bug fix to make this exception actionable. Commits ------- 5990182698 [FrameworkBundle] Fail gracefully when forms use disabled CSRF
…CSRF (HeahDude) This PR was merged into the 4.4 branch. Discussion ---------- [FrameworkBundle] Fail gracefully when forms use disabled CSRF | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | kind of | New feature? | no | Deprecations? | no | Tickets | ~ | License | MIT | Doc PR | ~ Relates to symfony/symfony-docs#16973. Currently with the following config in Symfony demo: ```yaml # config/packages/framework.yaml framework: csrf_protection: false form: csrf_protection: true ``` we get: >The service "form.type_extension.csrf" has a dependency on a non-existent service "security.csrf.token_manager". We should consider this PR as a bug fix to make this exception actionable. Commits ------- 5990182698 [FrameworkBundle] Fail gracefully when forms use disabled CSRF
|
Thanks for this PR and for the discussion. I decided to create a new PR in #20008 to continue the work needed here, so let's close this PR in favor of the new one. |
…ssions (javiereguiluz) This PR was squashed before being merged into the 5.4 branch. Discussion ---------- [Form] Mention that enabling CSRF in forms will start sessions Continues the work started in #16973. This adds the missing `framework.form` config mentioned by `@HeahDude`. Commits ------- 036a8a0 [Form] Mention that enabling CSRF in forms will start sessions
No description provided.