Login/Register
How to disable csrf in symfony?
Asked Answered
Solved phpformssymfonycsrf
C

3

9

I used the code below and it has csrf too. But how can I disable its csrf? I searched and Disable CSRF token on login form did not help, as there createFormBuilder() is not used in my case below, so what should I do?

$csrfStorage = new NativeSessionTokenStorage();
$csrfGenerator = new UriSafeTokenGenerator();
$csrfManager = new CsrfTokenManager($csrfGenerator, $csrfStorage);

$formFactory = Forms::createFormFactoryBuilder()
    ->addExtension(new CsrfExtension($csrfManager))
    ->getFormFactory();


$defaultFormTheme = 'bootstrap_3_layout.html.twig';

$vendorDir = realpath(__DIR__.'/../vendor');
$appVariableReflection = new \ReflectionClass('\Symfony\Bridge\Twig\AppVariable');
$vendorTwigBridgeDir = dirname($appVariableReflection->getFileName());
$viewsDir = realpath('twig');

$twig = new Twig_Environment(new Twig_Loader_Filesystem(array(
    $viewsDir,
    $vendorTwigBridgeDir.'/Resources/views/Form',
)));
$formEngine = new TwigRendererEngine(array($defaultFormTheme), $twig);
$twig->addRuntimeLoader(new \Twig_FactoryRuntimeLoader(array(
    TwigRenderer::class => function () use ($formEngine, $csrfManager) {
        return new TwigRenderer($formEngine, $csrfManager);
    },
)));
$twig->addExtension(new FormExtension());

$translator = new Translator('en');
$twig->addExtension(new TranslationExtension($translator));
$form = $formFactory->createBuilder()
    ->add('task', TextType::class)
    ->add('dueDate', DateType::class)
    ->getForm();

$request = Request::createFromGlobals();
$form->handleRequest();
if ($form->isSubmitted() && $form->isValid()) {
    $data = $form->getData();
    print_r($data);
}

$twig->display('new.html.twig', array(
    'form' => $form->createView(),
));
Ching answered 12/11, 2017 at 13:56 Comment(4)
Update your builder part to createBuilder('', null, ['csrf_protection' => false])Exceedingly
I get Error 0: Could not load type "". I guess because first parameter cannot be null? what should I pass into it?Ching
You should pass FormType, your own formtype which you created.Exceedingly
If you want to disable csrf for everything then set config.yml framework csrf_protection to false. But I really don't understand why you are adding the csrf manager if you don't want csrf protection.Ossie
V
17
$form = $formFactory->createBuilder('Symfony\Component\Form\Extension\Core\Type\FormType', null,  array('csrf_protection' => false))
Vacuole answered 12/11, 2017 at 15:42 Comment(0)
S
10

To disable it globally for all of the forms (if for example you want to implement your own logic)

You can set in your config/packages/framework.yaml

framework:
  form:
    csrf_protection:
      enabled: false
Socinus answered 11/2, 2022 at 20:14 Comment(0)
C
0

To disable csrf protection for single form you can do it like that:

<?php

namespace App\Form;

use Symfony\Component\Form\AbstractType;
use Symfony\Component\Form\FormBuilderInterface;
use Symfony\Component\OptionsResolver\OptionsResolver;

class ExampleType extends AbstractType
{
    public function buildForm(FormBuilderInterface $builder, array $options): void
    {
        ...
    }

    public function configureOptions(OptionsResolver $resolver): void
    {
        $resolver
            ->setDefaults([
                'csrf_protection' => false, // todo: add it to disable csrf protection
            ]);
    }
}
Comer answered 20/6, 2024 at 10:23 Comment(4)
Please add some explanation to your answer such that others can learn from it. How does your answer differ from the one by Mohamed posted more than six years ago?Handtomouth
@NicoHaase This post is the first result in google on term "How to disable csrf in symfony?" and it does not contains this answer so i added it. We can use configureOptions() in new form type classComer
Please add all clarification to your answer by editing it. The code from the question does not even use any form typeHandtomouth
Is it ok right now, after i paste entire type class?Comer

© 2022 - 2025 — McMap. All rights reserved.