generateCsrfToken #9300

t3chn0r · 2013-10-15T23:54:45Z

II'm not sure if I understand what generateCsrfToken() is supposed to do so bare with me for a second. My understanding is that generateCsrfToken() generates a random string of characters/numbers based on an "intention" that is passed to it. Now, my understanding is that this random set of characters/numbers changes every time I call the function even with the same intention string... Is this wrong?

I just created a simple controller action that generates the CSRF with the same intention 5 times but the CSRF generated is alway the same:

/**
     * @Route("/csrf", name="_le_test_csrf")
     */
    public function csrfAction()
    {
        $csrfs = $this->container->get('form.csrf_provider')->generateCsrfToken('test').'<br>';
        $csrfs .= $this->container->get('form.csrf_provider')->generateCsrfToken('test').'<br>';
        $csrfs .= $this->container->get('form.csrf_provider')->generateCsrfToken('test').'<br>';
        $csrfs .= $this->container->get('form.csrf_provider')->generateCsrfToken('test').'<br>';
        $csrfs .= $this->container->get('form.csrf_provider')->generateCsrfToken('test').'<br>';

        return new Response($csrfs);
    }

6af5e27e57cde92e85fdd80d6ace6ad8ba241aa9
6af5e27e57cde92e85fdd80d6ace6ad8ba241aa9
6af5e27e57cde92e85fdd80d6ace6ad8ba241aa9
6af5e27e57cde92e85fdd80d6ace6ad8ba241aa9
6af5e27e57cde92e85fdd80d6ace6ad8ba241aa9

Every single form in my application is submitted via Ajax and I'm trying to change and update the CSRF field in the form on each submission to make sure the same CSRF is not used twice but I found out that I can't generate a new CSRF token with the same intention.

Any help will be appreciated.

Regards

The text was updated successfully, but these errors were encountered:

stof · 2013-10-16T00:30:40Z

In Symfony 2.3 and below, there is no way to make a CSRF token expire (except expiring the whole session as the token depends on the session id). It is not different on each generation, otherwise you would not be able to check it (checking it is implemented by generating it again and comparing the value).

The implementation has changed in 2.4 (currently in beta) to allow expiring CSRF token (the intention is now used to store the token in the session, not to generate the token).

t3chn0r · 2013-10-16T11:30:02Z

Thanks @stof, do you know if this new implementation will make its way to 2.3 being the LTS version? Maybe it can be classified as a "security enhancement"?

Thanks a lot again for your quick response and help!

Regards

stof · 2013-10-16T11:31:41Z

No it cannot. It is a new feature as it is a whole new implementation (added in the security component instead of the form component). New features are never backported to maintenance releases

t3chn0r · 2013-10-16T12:54:08Z

No problem, I guess I'll move to 2.4 then once it's released. Thanks!

…oalaJoe) This PR was merged into the 4.1-dev branch. Discussion ---------- [Security] Add configuration for Argon2i encryption | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #26174 | License | MIT | Doc PR | [#9300](symfony/symfony-docs#9300) Feedback? Current situation: Configuration only applies if argon2i is natively supported. Commits ------- 1300fec [Security] Add configuration for Argon2i encryption

Tobion closed this as completed Oct 16, 2013

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

generateCsrfToken #9300

generateCsrfToken #9300

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

generateCsrfToken #9300

generateCsrfToken #9300

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!