Php – Symfony 3.0.1 CSRF token present but invalid

formsPHPsymfony

I am having this strange issue with a fresh Symfony 3.0.1 installation. I generated a new CRUD Controller with a Form PostType which contains an url and a title. Nothing fancy.

The form is rendered as expected. It contains both my url field and title field. Inside the form the hidden input field _token is also rendered.

When submitting this form, i am getting all the time the following error:

The CSRF token is invalid. Please try to resubmit the form.

So the token is added to the form, it contains a value, i have a constant PHP session cookie value, it is just that this token invalid.

I have searched for other answers but the similar questions are all caused by the absence of a _token input.

This problem also occurs in Symfony 3.0.2/3.0.3.

Best Answer

In my case it was that the var/sessions/ folder wasn't writable. The default is var/sessions which is set at config.yml.

session:
    # http://symfony.com/doc/current/reference/configuration/framework.html#handler-id
    handler_id:  session.handler.native_file
    save_path:   "%kernel.root_dir%/../var/sessions/%kernel.environment%"

Make sure you have var/ folders writable.

chmod 775 -R var/sessions/
chmod 775 -R var/log/
chmod 775 -R var/cache/

Related Solutions

Symfony – How to check whether the supplied CSRF token is invalid in Symfony2

There is no documented way to check csrf token manually. Symfony automatically validates the presence and accuracy of this token. http://symfony.com/doc/current/book/forms.html#csrf-protection

However there is a csrf provider:

http://api.symfony.com/2.0/Symfony/Component/Form/Extension/Csrf/CsrfProvider/SessionCsrfProvider.html

and

http://api.symfony.com/master/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.html

Marks classes able to provide CSRF protection You can generate a CSRF token by using the method generateCsrfToken(). To this method you should pass a value that is unique to the page that should be secured against CSRF attacks. This value doesn't necessarily have to be secret. Implementations of this interface are responsible for adding more secret information.

If you want to secure a form submission against CSRF attacks, you could supply an "intention" string. This way you make sure that the form can only be bound to pages that are designed to handle the form, that is, that use the same intention string to validate the CSRF token with isCsrfTokenValid().

You can retrieve the provider like this

$csrf = $this->get('form.csrf_provider');

use can then use

public Boolean isCsrfTokenValid(string $intention, string $token)

Validates a CSRF token.

Parameters string $intention The intention used when generating the CSRF token string $token The token supplied by the browser

Return Value Boolean Whether the token supplied by the browser is correct

You need to finde out the intention string used by your form.

Some interesting posts on SO:

Symfony CSRF and Ajax

Symfony2 links with CSRF token

Best Answer

Related Solutions

Symfony – How to check whether the supplied CSRF token is invalid in Symfony2

Related Topic