feature symfony#57 Add CSRF protection for login form (xelaris)

javiereguiluz · javiereguiluz · commit 7e201d21e909 · 2015-04-24T10:46:49.000+02:00
This PR was merged into the master branch. Discussion ---------- Add CSRF protection for login form Commits ------- a95a5f9 Add CSRF protection for login form
diff --git a/app/Resources/views/security/login.html.twig b/app/Resources/views/security/login.html.twig
@@ -23,6 +23,7 @@
                             <label for="password">Password:</label>
                             <input type="password" id="password" name="_password" class="form-control" />
                         </div>
+                        <input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}"/>
                         <button type="submit" class="btn btn-primary">
                             <i class="fa fa-sign-in"></i> Sign in
                         </button>
diff --git a/app/config/security.yml b/app/config/security.yml
@@ -29,6 +29,9 @@ security:
                 # The name of the route where the login form lives
                 # When the user tries to access a protected page, they are redirected here
                 login_path: security_login_form
+                # Secure the login form against CSRF
+                # Reference: http://symfony.com/doc/current/cookbook/security/csrf_in_login_form.html
+                csrf_provider: security.csrf.token_manager
 
             logout:
                 # The route name the user can go to in order to logout
