Symfony2 logout CSRF protection: csrf_provider unrecognized - McMap

About

Symfony2 logout CSRF protection: csrf_provider unrecognized

Asked 22/6, 2014 at 16:54 Answered 22/6, 2014 at 20:54

Solved symfony logout csrf-protection

R

1

6

How can I protect the logout action? I read default configuration, and set

logout:
    csrf_parameter:       _token
    csrf_provider:        ~
    intention:            logout

but when I'm trying to clear cache the following error displayed:

[Symfony\Component\Config\Definition\Exception\InvalidConfigurationException] Unrecognized options "csrf_provider" under "security.firewalls.main.logout"

I'm using Symfony 2.4 + FOSUserBundle 1.3.

Realism answered 22/6, 2014 at 16:54 Comment(4)

Could you rephrase your question title? Usually it should not contain any key words tagged in the question. Your title consists only of the keywords. – Simplicity 22/6, 2014 at 16:57

Have you checked this: #20350830 ? – Callean 22/6, 2014 at 16:58

@isi sorry, but I can't rephrase it, because it is very specific one and my imagination and low English skills prevents do this :( If moderators consider it necessary to rephrase it - I agree. – Realism 22/6, 2014 at 17:48

@DenisV I have already checked this topic. It isn't too related to my question, but CSRF protection is already enabled in my app. – Realism 22/6, 2014 at 17:49

R

16

I've researched the Symfony's code and find that now csrf_provider option renamed to csrf_token_generator. Then I googled and found related issue on GitHub. So the problem in an unsynchronized documentation.

The final solution is:

configuration:

# app/config/security.yml

security:
    # ...
    firewalls:
        # ...
        your_firewall_name:
            # ...
            logout:
                # ...
                csrf_token_generator: your_csrf_provider # e.g. form.csrf_provider

twig template:

<a href="{{ logout_url('your_firewall_name') }}">Logout</a>

Note, that we're using logout_url() instead of logout_path() due to helper bug (it generates absolute path without app_dev.php suffix in dev environment). Theese twig helpers appends %token_parameter% to your logout URI, e.g. http://example.com/app_dev.php/logout?_csrf_token=36wX6HYU2ASeZBQw_iwKcUDbplmFm4W7Ez-tMaavDNo.

Hope this information will be helpful.

Realism answered 22/6, 2014 at 20:54 Comment(0)

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.