问题
Do anyone know how can I create unique CSRF_token in Symfony? I used the following config in my security.yml file and in the form it creates the default Symfony CSRF_token.
firewalls:
login:
pattern: ^/demo/secured/login$
security: false
docova:
pattern: /.*
form_login:
login_path: %d.login_path%
check_path: %d.check_path%
csrf_provider: form.csrf_provider
csrf_parameter: _csrf_token
intention: My_Private_String
default_target_path: %d.default_target_path%
success_handler: myproject.security.authentication.success_handler
logout:
path: /MyProject/logout
target: /MyProject
anonymous: true
security: true
docova: true
and in my login twig file I have this:
<input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}" />
Appreciate it.
回答1:
the csrf token generation is based on the name of the form and the session id, thus the csrf is unique for each form per session as it is, if you want something truly unique for every form, you'd need to basically override the method that creates the csrf and pass in a randomized string in place of the form name. You'd then need to save that randomized string and match it with the session id so you can validate the csrf when the form is submitted.
来源:https://stackoverflow.com/questions/22075065/create-custom-unique-csrf-token-in-symfony