Symfony2,登录表单-CSRF保护
[英]Symfony2, login form - CSRF protection
问题描述
I have this login form via Symfony2 security documentation with the following TWIG template content: 
通过Symfony2安全文档 ,我具有以下TWIG模板内容的登录表单:
<form action="{{ path('login_check') }}" method="post">
<div class="input form">
<label for="username">Account name or E-mail:</label>
<input type="text" id="username" name="_username" value="{{ last_username }}" required="required" />
</div>
<div class="input form">
<label for="password">Password:</label>
<input type="password" id="password" name="_password" required="required" />
</div>
<input type="hidden" name="_token" value="{{ csrf_token("intention") }}">
<button type="submit">Log In</button>
</form>
And I want to add CSRF protection in this form. 我想以这种形式添加CSRF保护。 As you can see, I added this line <input type="hidden" name="_token" value="{{ csrf_token("intention") }}"> but I'm not really sure, if it is enough to activate this protection. 如您所见,我添加了这行<input type="hidden" name="_token" value="{{ csrf_token("intention") }}">但我不确定,是否足以激活这种保护。
My controller has same form as on the doc, so it looks like this: 我的控制器具有与文档相同的形式,因此如下所示:
<?php
// src/Acme/SecurityBundle/Controller/SecurityController.php;
namespace Acme\SecurityBundle\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\Security\Core\SecurityContext;
class SecurityController extends Controller
{
public function loginAction()
{
$request = $this->getRequest();
$session = $request->getSession();
// get the login error if there is one
if ($request->attributes->has(SecurityContext::AUTHENTICATION_ERROR)) {
$error = $request->attributes->get(
SecurityContext::AUTHENTICATION_ERROR
);
} else {
$error = $session->get(SecurityContext::AUTHENTICATION_ERROR);
$session->remove(SecurityContext::AUTHENTICATION_ERROR);
}
return $this->render(
'AcmeSecurityBundle:Security:login.html.twig',
array(
// last username entered by the user
'last_username' => $session->get(SecurityContext::LAST_USERNAME),
'error' => $error,
)
);
}
}
So it's enough just paste one hidden input with value {{ csrf_token("intention") }} or I have to add something into controller? 因此,只需将一个隐藏的输入粘贴为值{{ csrf_token("intention") }}否则我必须在控制器中添加一些内容?
2 个解决方案
解决方案1
2 已采纳 2014-02-23 19:16:36
I found that Answer from @Chris McKinnel isn't true. 我发现@Chris McKinnel的答案不正确。 Now, the Symfony2 has on the tutorial page this section: 现在,Symfony2在教程页面上具有以下部分:
http://symfony.com/doc/current/cookbook/security/csrf_in_login_form.html http://symfony.com/doc/current/cookbook/security/csrf_in_login_form.html
I need add line in my security.yml : 我需要在security.yml中添加行:
form_login:
# ...
csrf_provider: form.csrf_provider
And change this 并改变这个
<input type="hidden" name="_token" value="{{ csrf_token("intention") }}">
to 至
<input type="hidden" name="_csrf_token" value="{{ csrf_token("authenticate") }}">
Now I am sure my authentication form si CSRF protected. 现在,我确定我的身份验证表单si CSRF受保护。
解决方案2
1 2013-10-14 14:06:27
CSRF protection is enabled by default, so all you need to do is render your CSRF token in your HTML. 默认情况下,CSRF保护处于启用状态,因此您要做的就是在HTML中呈现CSRF令牌。 You don't need to do anything in your controller. 您无需在控制器中执行任何操作。
You have a couple of options: 您有两种选择:
- Do it just like you've done it above 就像您已经在上面完成一样
- Use {{ form_rest(form) }} , this will render all fields that you haven't rendered yet, including hidden fields like the CSRF token 使用{{form_rest(form)}} ,这将渲染所有尚未渲染的字段,包括CSRF令牌之类的隐藏字段
Either will work fine. 两者都可以正常工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.