Skip to content

csrf_token now can be used without installing the Form component #9488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

csrf_token now can be used without installing the Form component #9488

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c43e611
csrf_token now can be used without installing the Form component
javiereguiluz Mar 23, 2018
a0569b9
Added a note about CSRF and Symfony 4.1
javiereguiluz Mar 25, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions security/csrf.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,11 @@ CSRF protection works by adding a hidden field to your form that contains a
value that only you and your user know. This ensures that the user - not some
other entity - is submitting the given data.

Before using the CSRF protection, install it in your project (which in turn
requires installing the Symfony Form component):
Before using the CSRF protection, install it in your project:

.. code-block:: terminal

$ composer require security-csrf form
$ composer require security-csrf
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we now need to show how to install forms for the section where we integrate CSRF tokens into a Symfony form? Or is it too obvious that you do of course need the Form component for them?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with you that it would be too obvious to install form first because you are literally creating a Symfony Form in that section.


Then, enable/disable the CSRF protection with the ``csrf_protection`` option
(see the :ref:`CSRF configuration reference <reference-framework-csrf-protection>`
Expand Down Expand Up @@ -278,6 +277,10 @@ After this, you have protected your login form against CSRF attacks.
CSRF Protection in HTML Forms
-----------------------------

.. versionadded:: 4.1
In Symfony versions prior to 4.1, CSRF support required installing the
Symfony Form component even if you didn't use it.

It's also possible to add CSRF protection to regular HTML forms not managed by
the Symfony Form component, for example the simple forms used to delete items.
First, use the ``csrf_token()`` function in the Twig template to generate a CSRF
Expand Down