Disable CSRF token on login form

Question

I am using Symfony2.0 and FOSUserBundle, and would like to disable the csrf token on my login form.

I have disabled the csrf protection globally on my website in my config.yml:

framework:
    csrf_protection:
        enabled:        false

This is working well, there is no csrf field added to my forms. However, this does not apply to the login form. On this form only, I get an "Invalid CSRF Token" error if I don't include the token in the form with:

<input type="hidden" name="_csrf_token" value="{{ csrf_token }}" />

How can I disable the CSRF token on the login form?

Because my client wants the login form to be validated no matter how long the user has been sitting on the login page. Besides, I personally don't think a CSRF protection is necessary for this particular website. — fkoessler, Mar 11 '13 at 09:41

Juan Sosa · Answer 1 · 2013-03-10T14:38:11.977

29

You can disable CSRF protection in your form class by setting 'csrf_protection' => false in its options array:

class LoginType extends AbstractType
{
    // ...

    public function getDefaultOptions(array $options)
    {
        return array(
            'data_class'      => 'Acme\UserBundle\Entity\User',
            'csrf_protection' => false
        );
    }

    // ...

}

In case you are using FormBuilder to create your form instead of an AbstractType class, you can pass the options array as the second parameter for createFormBuilder() like this:

$form = $this->createFormBuilder($users, array('csrf_protection' => false))
        ->add( ... )
        ->getForm();

edited Mar 10 '13 at 14:38

answered Mar 07 '13 at 11:16

Juan Sosa

5,262
1
35
41

Problem is I don't have such a LoginType class. Should I extend the Symfony2 LoginType class just to set the csrf_protection property to false? Is there no simpler way? – fkoessler Mar 10 '13 at 02:06
Yes it helped me realize that I had to look into FOSUserBundle's SecurityController to set the csrf to false. I posted my own answer though with more details on how to proceed. +1 – fkoessler Mar 11 '13 at 10:06
You should have mentioned you were using FOSUserBundle. – Juan Sosa Mar 11 '13 at 10:22
1

Or if you are using the createNamedBuilder() method inside the 4th parameter: $form = $this->get('form.factory')->createNamedBuilder('', 'form', null, array('csrf_protection' => false)); – webDEVILopers Nov 09 '14 at 19:16

score 19 · Accepted Answer · answered Mar 11 '13 at 14:18

19

If you just go to your security.yml file and remove the csrf_provider from the form_login directive, don't need to update the action class or anything.

answered Mar 11 '13 at 14:18

Daum

815
1
7
11

score 1 · Answer 3 · answered Oct 09 '13 at 19:39

if you're using FOSUserBundle, and you would like to disable CSRF protection only on the login form, there are a few steps to follow.

Step 1) Create your own user bundle & Security Controller file

In order to over-ride the SecurityController that is built into FOSUserBundle, you must first create your own user bundle.

So, create a file called app/src/{YourApp}/UserBundle/Controller/SecurityController.php You should extend the original SecurityController class, and copy over the loginAction method

use FOS\UserBundle\Controller\SecurityController as SecurityControllerOrig;
class SecurityController extends SecurityControllerOrig
{
   public function loginAction(Request $request)
   {
   }
}

Within the loginAction method, comment out, or remove these lines:

$csrfToken = $this->container->has('form.csrf_provider')
        ? $this->container->get('form.csrf_provider')->generateCsrfToken('authenticate')
        : null;

Then make sure that nothing is passed to view for the CSRF token:

return $this->renderLogin(array(
        'last_username' => $lastUsername,
        'error'         => $error,
        'csrf_token' => false,
    ));

Step 2) Disable CSRF checking in Symfony's firewall (security.yml)

Make sure you comment out the existing "csrf_provider:" line in security.yml:

firewalls:
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                #csrf_provider: form.csrf_provider

Step 3) Override the routing for FOSUserBundle's security controller (routing.yml)

In routing.yml, comment out these lines:

fos_user_security:
    resource: "@FOSUserBundle/Resources/config/routing/security.xml"
    options:
        expose: true

Add these lines below the commented-out lines:

#Over-ride the SecurityController of the FOSUserBundle:
fos_user_security_login:
  path: /login
  defaults:  { _controller: YourAppUserBundle:Security:login }
  methods:  [GET]
  options:
    expose: true

fos_user_security_check:
  path: /login_check
  defaults:  { _controller: FOSUserBundle:Security:check }
  methods:  [POST]
  options:
    expose: true

fos_user_security_logout:
  path: /logout
  defaults:  { _controller: FOSUserBundle:Security:logout }
  methods:  [GET]
  options:
    expose: true

Note 1: I've only asked it to use the loginAction method from your custom SecurityController. The other two methods go to the parent class (not sure if it makes a difference).

Note 2: You need the "expose: true" part! Otherwise, you'll get a JavaScript error from the fos js routing bundle.

That should do it!

score 0 · Answer 4 · answered Mar 11 '13 at 10:04

I had to override FOSUserBundle's SecurityController loginAction where the login form is instanciated.

I replaced:

$csrfToken = $this->container->get('form.csrf_provider')->generateCsrfToken('authenticate');

return $this->container->get('templating')->renderResponse('FOSUserBundle:Security:login.html.'.$this->container->getParameter('fos_user.template.engine'), array(
        'last_username' => $lastUsername,
        'error'         => $error,
        'csrf_token' => $csrfToken,
    ));

with:

return $this->container->get('templating')->renderResponse('FOSUserBundle:Security:login.html.'.$this->container->getParameter('fos_user.template.engine'), array(
        'last_username' => $lastUsername,
        'error'         => $error,
        'csrf_token' => false,
    ));

score 0 · Answer 5 · answered Jul 22 '23 at 13:40

0

Here is the way to deactivate CSRF protection for a specific form in Symfony 6 if you are using createForm method inside a Controller

$form = $this->createForm(LoginFormType::class, null,
[
    'csrf_protection' => false
]);

answered Jul 22 '23 at 13:40

Big Ben Jr

23
6

Disable CSRF token on login form

5 Answers5

Linked