[英]Symfony CSRF Attack Detected even when passing _csrf_token
Here is my form:这是我的表格:
<form novalidate action="<?php echo url_for('article/submit') ?>" method="POST">
<?php echo $form['title']->renderRow() ?>
<?php echo $form['content']->renderRow() ?>
<?php echo $form->renderHiddenFields() ?>
<input type="submit" value="Save"/>
</form>
And looking at the generated HTML source, the _csrf_token
IS in fact being rendered.查看生成的 HTML 源代码,
_csrf_token
实际上正在渲染。 Here is my action:这是我的行动:
public function executeSubmit(sfWebRequest $request)
{
$this->forward404Unless($request->isMethod('post'));
$request->checkCSRFProtection();
die('submitting post...');
}
The error:错误:
_csrf_token [CSRF attack detected.]
Even in my action if I do a var_dump($_POST); die;
即使在我的行动中,如果我执行
var_dump($_POST); die;
var_dump($_POST); die;
I get:我得到:
Array
(
[title] => string(8) "My title"
[content] => string(10) "My Content"
[_csrf_token] => string(32) "<my token here>"
)
So the csrf token is definitely being rendered and passed correctly.所以 csrf 令牌肯定会被正确渲染和传递。 What am I doing wrong?
我究竟做错了什么?
Also, is there any documentation for checkCSRFProtection()
anywhere?另外,在任何地方
checkCSRFProtection()
的任何文档吗? The API doc's dont' say anything about it besides acknowledging it's existence. API 文档除了承认它的存在外,什么也没说。
A few things to check:需要检查的几件事:
( Source: From http://oldforum.symfony-project.org/index.php/t/17867/ ) (来源:来自http://oldforum.symfony-project.org/index.php/t/17867/ )
Be sure you have defined your "secret" in your settings:确保您在设置中定义了“秘密”:
csrf_secret: ThisIsMySecret # Unique secret to enable CSRF protection or false to disable`
Also, based on what I've gathered from that form post, CSRF protection checking is done automatically in $this->form->isValid()
, so your call to $request->checkCSRFProtection()
is unnecessary if you are already checking if the form is valid.此外,根据我从该表单帖子中收集到的信息,CSRF 保护检查是在
$this->form->isValid()
中自动完成的,因此如果您已经在检查,则无需调用$request->checkCSRFProtection()
如果表格有效。 If not, add $this->form->isValid()
.如果没有,请添加
$this->form->isValid()
。
It would also seem that $request->checkCSRFProtection()
doesn't work with forms; $request->checkCSRFProtection()
似乎也不适用于 forms; it's purpose (if I'm correct) is to validate requests served when a user clicks a link.它的目的(如果我是正确的)是验证用户单击链接时提供的请求。 When CSRF protection is enabled,
link_to()
automatically adds CSRF protection to the links it generates.启用 CSRF 保护后,
link_to()
会自动将 CSRF 保护添加到它生成的链接中。 So, basically, the CSRF protection for a form is different for that of a request that didn't originate from a form.因此,基本上,表单的 CSRF 保护与并非源自表单的请求的保护不同。
See this ticket for more details: http://trac.symfony-project.org/ticket/7315有关更多详细信息,请参阅此票: http://trac.symfony-project.org/ticket/7315
Another ticket that may be of interest: http://trac.symfony-project.org/ticket/5698可能感兴趣的另一张票: http://trac.symfony-project.org/ticket/5698
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.