0

I have this open source Symfony app and I need to disable CSRF checks either globally or at least for some <forms>. Besides 2 methods described below, I also tried removing various lines of code that mention CSRF, but nothing helped.

What I tried:

  1. I tried to globally disable CSRF as described here How can I turn of CSRF protection globally on Symfony 3 with FOSUserBundle , but the problem is in my Symfony App there are no .yml files in root/config directory - it only contains: settings.php, default.settings.php, dev.php, prod.php, languages.php, but no .yml/.xml files
  2. I tried to disable CSFR for a specific <form> as described here How to disable csrf in symfony? , but the prblem is my <form> is HTML-based, not PHP-based. My Symfony app doesn't create <form>s via PHP.

My Symfony App:

...
// Authentication
$app->get('/login', '\AgenDAV\Controller\Authentication::loginAction')->bind('login');
$app->post('/login', '\AgenDAV\Controller\Authentication::loginAction');
$app->get('/logout', '\AgenDAV\Controller\Authentication::logoutAction')->bind('logout');

// CSRF protection
$app->before(function(Request $request, Application $app) {
    return \AgenDAV\Csrf::check($request, $app);
});
...
  • The login form template is in root/templates/login.html and it is called inside root/src/controller/Authentication.php:
...
return $app['twig']->render('login.html', $template_vars);
...
yukitmp
  • 15
  • 3
  • 1
    Confusing post. Did you mean to post a link to the CalDev web client? It's not a Symfony app. Maybe you have a Symfony Silex based app? In any event, start by specifying exactly which version and type of 'Symfony' that you are using. – Cerad Aug 05 '20 at 12:09
  • I am not sure with the exact terminology, but clearly the open source project uses Symfony and Silex. – yukitmp Aug 05 '20 at 16:17
  • Okay. The Silex application is actually inside of the web directory. That is why is looked like an api sort of thing to me. This is just a guess but try adding a return statement as the first line in the Csrf:check method. If that does not work then consider adding the Silex tag to your question. – Cerad Aug 05 '20 at 16:47
  • Out of curiosity: tons of projects use CSRF to enhance security. Is there any good reason you want to disable it? Probably any other problem that should be fixed instead, such that you can keep this feature enabled? – Nico Haase Aug 06 '20 at 05:19
  • @NicoHaase I want to embed the calendar as an iframe with the auto-login feature, but the CSRF requires that damn token, which is somehow generated from a cookie on calendar's side, hence when I am embedding the calendar login form as an iframe all browsers treat that cookie as 3rd party. I believe by disabling the CSRF I won't need that damn token (generated via a cookie) to log in. And no, my main app and the calendar app are not on the same domain. – yukitmp Aug 06 '20 at 14:44

0 Answers0