Geek Answers Handbook

Invalid CSRF token in my own login form

I am working on a Symfony application using FOSUserBundle. I want to have a drop-down registration form in the menu bar, if I am not authenticated, which have a completely different style, which is under / login.

I get an "Invalid CSRF Token". I am a complete newbie to symfony2, so maybe I am making an obvious mistake, but I cannot find a solution for the search. This is what I tried:

Controller:

<?php

namespace RoiRodriguez\CustomUserBundle\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Security\Core\SecurityContext;

class DefaultController extends Controller {

    /**
     * Para requests internos, renderiza la barra de navegación.
     * No tiene ruta.
     */
    public function navigationAction() {
        $params = array (
                'csrf_token' => '',
                'last_username' => '' 
        );

        if ($this->container->get ( 'security.context' )->isGranted ( 'IS_AUTHENTICATED_FULLY' )) {
            $session = $this->getRequest ()->getSession ();
            $params ['last_username'] = (null === $session) ? '' : $session->get ( SecurityContext::LAST_USERNAME );
            $params ['csrf_token'] = $this->container->get ( 'form.csrf_provider' )->generateCsrfToken ( 'authenticate' );
        }

        return $this->render ( 'CustomUserBundle:Default:navigation.html.twig', $params );
    }
}

View:

<ul class="nav navbar-nav navbar-right">
{% if app.user and app.user.isGranted('IS_AUTHENTICATED_FULLY') %}
    {% include 'CustomUserBundle:Default:includes/navigation-authenticated.html.twig' %}
{% else %}
    {% include 'CustomUserBundle:Default:includes/navigation-notauthenticated.html.twig' with {'csrf_token': csrf_token, 'last_username': last_username} %}
{% endif %}
</ul>

Unauthenticated template:

<li><a href="{{ path('fos_user_registration_register') }}">Nueva cuenta</a></li>
<li class="dropdown"><a href="#" class="dropdown-toggle"
    data-toggle="dropdown">Ingresar <b class="caret"></b></a>
    <div class="dropdown-menu dd-login-form-container">

        <!-- login form -->
        <form role="form" method="post"
            action="{{ path("fos_user_security_check") }}">
            <input type="hidden" name="_csrf_token" value="{{ csrf_token }}" />
......
            <button type="submit" class="btn btn-primary">Ingresa!</button>
        </form>
        <!-- end login form -->
        <ul>
            <li><a href="{{ path('fos_user_resetting_request') }}">¿Has olvidado
                    tu contraseña?</a></li>
            <li><a href="{{ path('fos_user_registration_register') }}">¿Todavía
                    no tienes una cuenta?</a></li>
        </ul>
    </div>
</li>

What am I missing? In addition: this drop-down menu gets rendered inside / login too, will I have problems generating the token twice?

+6
source share
7 answers

- " CSRF" - , . FOSUserBundle ( FOSUserBundle), , . . security.yml , csrf .

app/config/security.yml , crsf.

security:

.......

firewalls:

    ........

    vendor:
        pattern: ^/vendor
        form_login:
            provider: fos_userbundle
        #   csrf_token_generator: security.csrf.token_manager
            login_path: vendor_login
            check_path: vendor_login_check
        logout: true

, .

+12

: csrf Twig: fooobar.com/questions/672438/... p >

+5

...

<form action="{{ path('yourRoute') }}" method="post" {{ form_enctype(form) }}>

CSRF , {{ form_enctype(form) }}

http://symfony.com/doc/current/reference/forms/twig_reference.html#form-enctype-view, ...

+1

@Roirodriguez, . , render include ( 4).

, - , FOSUserBundle, . , , , ( ..).

:

  • FOSUserBundle. UserBundle, get parent. FOSUserBundle

    <?php 
namespace Me\UserBundle;
use Symfony\Component\HttpKernel\Bundle\Bundle;
class MeUserBundle extends Bundle
{
    public function getParent()
    {
        return 'FOSUserBundle';
    }
}


  • {#loginHorizontal.html.twig#}

{% trans_default_domain 'FOSUserBundle' %}
<div class="nav navbar-nav navbar-right">
<form  class="navbar-form navbar-left form-inline" action="{{ path("fos_user_security_check") }}" method="post" role="form" >
    <input type="hidden" name="_csrf_token" value="{{ csrf_token }}" />
    <div class="form-group">
        <div class="input-group">
            <div class="input-group-addon"><i class="fa fa-user" ></i></div>
            <input type="text" class="form-control" id="txt_username"
                   placeholder="{{ 'security.login.username'|trans }}" name="_username"
                   value="{{ last_username }}" required="required" >
        </div>
    </div>
    <div class="form-group">
        <div class="input-group">
            <div class="input-group-addon"><i class="fa fa-asterisk" ></i></div>
            <input type="password"  class="form-control" id="txt_pwd" name="_password" required="required" placeholder="{{ 'security.login.password'|trans }}" />
        </div>

    </div>
    <input type="submit" id="_submit" name="_submit"  class="btn btn-primary" value="{{ 'security.login.submit'|trans }}" />
    <br />
    <div class="checkbox">
        <label>
            <input type="checkbox" id="remember_me" name="_remember_me" value="on" /> {{ 'security.login.remember_me'|trans }}
        </label>
    </div>
</form>
</div>



{#authenticadedDropdown.html.twig#}

{% trans_default_domain 'FOSUserBundle' %}
<ul class="nav navbar-nav navbar-right" >
    <li class="dropdown">
        <a href="#" class="dropdown-toggle" data-toggle="dropdown"> welcome, {{ app.user.username }}<span class="caret"></span></a>
        <ul class="dropdown-menu" role="menu">
            <li><a href="#">bla bla</a></li>
            <li class="divider"></li>
            <li><a href="{{ path('fos_user_security_logout') }}">
                {{ 'layout.logout'|trans({}, 'FOSUserBundle') }}
            </a></li>
        </ul>
    </li>
    <li></li>
</ul>

  • SecurityController . , , vars csrf_token .

    namespace Me\UserBundle\Controller;

use FOS\UserBundle\Controller\SecurityController as BaseController;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Core\SecurityContextInterface;


class SecurityController extends BaseController
{
    /**
     * For internal template use: Renders the Horizontal Login ej. Header bar login.
     * No routing used.
     */
    public function loginHorizontalAction(Request $request)
    {
        /** @var $session \Symfony\Component\HttpFoundation\Session\Session */
        $session = $request->getSession();

        // last username entered by the user
        $lastUsername = (null === $session) ? '' : $session->get(SecurityContextInterface::LAST_USERNAME);

        $csrfToken = $this->container->has('form.csrf_provider')
            ? $this->container->get('form.csrf_provider')->generateCsrfToken('authenticate')
            : null;

        $data =  array(
            'last_username' => $lastUsername,
            'csrf_token' => $csrfToken,
        );
        return $this->container->get('templating')->renderResponse('MeUserBundle:Security:loginHorizontal.html.twig', $data);
    }

    /**
     * For internal template use: Renders the Dropdown after authentication ej. Header bar for user.
     * No routing used.
     */
    public function authenticatedDropdownAction()
    {
        $data =  array();
        return $this->container->get('templating')
            ->renderResponse('MeUserBundle:Security:authenticatedDropdown.html.twig', $data);
    }
}

  • , / twig Symfony doc on

    <div class="navbar-right" >
    {% block login %}
        {% if is_granted("IS_AUTHENTICATED_REMEMBERED") %}
            {% render(controller("MeUserBundle:Security:authenticatedDropdown")) %}
        {% else %}
            {% render(controller("MeUserBundle:Security:loginHorizontal")) %}
        {% endif %}
    {% endblock %}
</div>

, , , .

Cheers,

+1

symfony 4 FOSUserBundle, .

:

login_content.html.twig :

{% if csrf_token %}
        <input type="hidden" name="_csrf_token" value="{{ csrf_token }}" />
{% endif %}

:

{% if csrf_token('authenticate') %}
<input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}" />
{% endif %}

: "('authenticate')"

crsf. .

, .

0

Symfony 4. post_max_size upload_max_filesize. - . " CSRF".

-1

More articles:


All Articles