8000 [Authenticator] Invalid CSRF token (BC with SF 5.4) · Issue #44541 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Authenticator] Invalid CSRF token (BC with SF 5.4) #44541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
acantepie opened this issue Dec 9, 2021 · 22 comments
Closed

[Authenticator] Invalid CSRF token (BC with SF 5.4) #44541

acantepie opened this issue Dec 9, 2021 · 22 comments
Labels
Bug Status: Needs Review

Comments

@acantepie
Copy link

Symfony version(s) affected

5.4.1

Description

Can't authenticate with FormLoginAuthenticator.

How to reproduce

# security.yaml

    firewalls:
        app:
           ...
            form_login:
                enable_csrf: true

Symfony app is serving by a nginx running on docker,

if i try to login using a hostname :
=> foo.local:8001/login
Got error :

[2021-12-09T18:23:05.087720+01:00] security.INFO: Authenticator failed. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\InvalidCsrfTokenException(code: 0): Invalid CSRF token. at /home/docker/symfony/vendor/symfony/security-http/EventListener/CsrfProtectionListener.php:51)","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\Debug\\TraceableAuthenticator"} []
[2021-12-09T18:23:05.087796+01:00] security.DEBUG: Authentication failure, redirect triggered. {"failure_path":"umbrella_admin_login"} []
[2021-12-09T18:23:05.119546+01:00] security.DEBUG: The "Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticator" authenticator set the failure response. {"authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\Debug\\TraceableAuthenticator"} []
[2021-12-09T18:23:05.119629+01:00] security.DEBUG: The "Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticator" authenticator set the response. Any later authenticator will not be called {"authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\Debug\\TraceableAuthenticator"} []
[2021-12-09T18:23:05.145225+01:00] request.INFO: Matched route "umbrella_admin_login". {"route":"umbrella_admin_login","route_parameters":{"_route":"umbrella_admin_login","_controller":"Umbrella\\AdminBundle\\Controller\\SecurityController::login"},"request_uri":"http://foo.local:8001/login","method":"GET"} []
[2021-12-09T18:23:05.146043+01:00] security.DEBUG: Checking for authenticator support. {"firewall_name":"app","authenticators":1} []
[2021-12-09T18:23:05.146079+01:00] security.DEBUG: Checking support on authenticator. {"firewall_name":"app","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2021-12-09T18:23:05.146106+01:00] security.DEBUG: Authenticator does not support the request. {"firewall_name":"app","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []

if i try to login using a hostname :
=> foo.local:8001/login : it works

Downgrade symfony to 5.4.0 solve the problem.

Possible Solution

No response

Additional Context

No response
@acantepie acantepie added the Bug label Dec 9, 2021
@berkut1
Copy link
berkut1 commented Dec 10, 2021
edited
Loading

I have the same problem, but I don't use firewalls -> enable_csrf

I check csrf inside of LoginFormAuthenticator like it shows in symfony doc https://symfony.com/doc/current/security/custom_authenticator.html#passport-badges

Also the problem is only in the remote server (no domain, only IP). I cannot reproduce this locally.

I can't find solution, so, I rolled back to 5.4.0

@berkut1
Copy link
berkut1 commented Dec 10, 2021
edited
Loading

I found that break it.
This pull #44437 if revert it CSRF token starts to work.
Friendly ping @simonchrz @derrabus

@emmanuelballery emmanuelballery mentioned this issue Dec 10, 2021
Closed
@thewalkingcoder
Copy link
thewalkingcoder commented Dec 10, 2021
edited
Loading

I have the same issue when i upgrade symfony 5.4.0 to 5.4.1

On local developpement i use


http://xxxxx.local

My session config was

session:
   handler_id: null
   cookie_secure: 'auto'
   cookie_samesite: 'lax'
   storage_factory_id: session.storage.factory.native

Since 5.4.1 To resolve problem (environment dev only) i change cookie_secure

session:
   handler_id: null
   cookie_secure: false
   cookie_samesite: 'lax'
   storage_factory_id: session.storage.factory.native

@emmanuelballery
Copy link

I think those issues are all about cookie_secure set to auto and change made in 36b466e :

@acantepie
Copy link
Author
acantepie commented Dec 10, 2021
edited
Loading

I found that break it. This pull #44437 if revert it CSRF token starts to work. Friendly ping @simonchrz @derrabus

I confirm, revert this PR solve the problem :)

@xabbuh xabbuh mentioned this issue Dec 14, 2021
Closed
@alexander-schranz
Copy link
Contributor

Can you try out #44518 if this fixes your issue?

@Jelle-S
Copy link
Jelle-S commented Dec 15, 2021

I found that break it. This pull #44437 if revert it CSRF token starts to work. Friendly ping @simonchrz @derrabus

I confirm, revert this PR solve the problem :)

I can confirm this as well

@alexander-schranz
Copy link
Contributor

@Jelle-S did you try out the changes of #44518 if that would fix your issue?

@Jelle-S
Copy link
Jelle-S commented Dec 15, 2021

@alexander-schranz I should've read all the comments! Yes, that seems to do the trick too. Thanks!

@Jelle-S Jelle-S mentioned this issue Dec 15, 2021
Merged
@alexander-schranz
Copy link
Contributor

@Jelle-S Thank you for testing!

@acantepie
Copy link
Author
acantepie commented Dec 15, 2021
edited
Loading

Can you try out #44518 if this fixes your issue?

@alexander-schranz It does the job :)

@dennned
Copy link
dennned commented Dec 19, 2021

thank you

@fabpot fabpot closed this as completed Dec 20, 2021
@alexsegura alexsegura mentioned this issue Jan 26, 2022
Closed
@fecambot
Copy link

Hi,
Tried it in symfony 6.0.4, auth still not working :(

@chiqui3d
Copy link
chiqui3d commented Feb 18, 2022
edited
Loading

Hi, Tried it in symfony 6.0.4, auth still not working :(

Now the default value in cookie_secure is auto, check because that is what happened to me.

@Jonathanlight
Copy link

@chiqui3d Hi you are find a solution with version 5.4.4 ? i have tried on version 6.0.0 it's work for me .

@antedom
Copy link
antedom commented Mar 22, 2022

if you are on dev env and using base http for request then you should define cookie_secure: false. For https usage then cookie_secure should be set to true, because auto would not change properly to true (which is done with SessionListener)

@fecambot
Copy link
fecambot commented Apr 9, 2022

@Jonathanlight what do you mean ?

I am in 6.0.7 and still have this error:
Authenticator does not support the request. {"firewall_name":"main","authenticator":"App\Security\CustomAuthAuthenticator"}

@alexander-schranz
Copy link
Contributor

If you got still issues it would be good if somebody provides a repository based on a minimal symfony/skeleton setup where the issue appears.

@fecambot
Copy link
fecambot commented May 4, 2022

I juste created a new project (6.0.8), used maker bundle to add a user class and a login form, still have "Authenticator does not support the request". I can't figure out what to change and where from the linked post int this topic, and i suppose it's not the right place to discuss the matter :).

@fecambot
Copy link
fecambot commented May 4, 2022

I don't even have an error with wrong password.

@flameheart
Copy link

Hi,
run into that like week ago, and still struggling. Symfony version 6.0.8. Works well on local env (Fedora 35) but fails when deployed (ubuntu 22). So this is kinda configuration/os-based. But still I cannot manage to find differences in my setups.

@fecambot In my case, there is no error messages because there is double redirect triggered. Try to look at Your symfony logs. What I have there, are 2 requests. First is to Authenticator and it fails with "Invalid CSRF token". Then he redirects Again to login again, and now is Your "does not support the request" error.
And i guess that session or flash messages are being lost somewhere in the process.

Will be happy to provide any further information.

@fecambot
Copy link

I'm using Wamp on a windows 10 box, i'll look into updates and check again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0