我不使用“表单服务提供商”并手动将CSRF令牌输出到我的树枝登录表单:
$csrf_token = $app['csrf.token_manager']->getToken('token_id'); //'TOKEN'
在login.html.twig中:
<input type="hidden" name="_csrf_token" value="{{ csrf_token }}">
手册(https://silex.symfony.com/doc/2.0/providers/csrf.html)说,可以像这样检查令牌:
$app['csrf.token_manager']->isTokenValid(new CsrfToken('token_id', 'TOKEN'));
但整个登录过程由安全组件处理。如何向其添加CSRF检查?
这是我的防火墙设置:
$app['security.firewalls'] = array(
'login' => array(
'pattern' => '^/user/login$',
),
'secured_area' => array(
'pattern' => '^.*$',
'anonymous' => false,
'remember_me' => array(),
'form' => array(
'login_path' => '/user/login',
'check_path' => '/user/login_check',
),
'logout' => array(
'logout_path' => '/user/logout',
'invalidate_session' => true
),
'users' => function () use ($app) {
return new UserProvider($app['db']);
},
));
登录控制器:
$app->get('/user/login', function(Request $request) use ($app) {
$csrf_token = $app['csrf.token_manager']->getToken('token_id'); //'TOKEN'
return $app['twig']->render('login.html.twig', array(
'csrf_token' => $csrf_token,
));
});
答案 0 :(得分:2)
尝试将csrf选项添加到安全配置:
$app['security.firewalls'] = array(
....
'form' => array(
'login_path' => '/user/login',
'check_path' => '/user/login_check',
'with_csrf' => true,
'csrf_parameter' => '_csrf_token', // form field name
'csrf_token_id' => 'token_id'
),
....