Skip to content

Commit d29521d

Browse files
weaverryanweaverryan
committed
[#3327] Minor tweaks to Login form CSRF entry
1 parent c03f7e9 commit d29521d

File tree

1 file changed

+15
-8
lines changed

1 file changed

+15
-8
lines changed

cookbook/security/csrf_in_login_form.rst

Lines changed: 15 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,15 @@ When using a login form, you should make sure that you are protected against CSR
88
(`Cross-site request forgery`_). The Security component already has built-in support
99
for CSRF. In this article you'll learn how you can use it in your login form.
1010

11+
.. note::
12+
13+
Login CSRF attacks are a bit less well-known. See `Forging Login Requests`_
14+
if you're curious about more details.
15+
1116
Configuring CSRF
1217
----------------
1318

14-
At first, you have to configure the Security component so it can use CSRF protection.
19+
First, configure the Security component so it can use CSRF protection.
1520
The Security component needs a CSRF provider. You can set this to use the default
1621
provider available in the Form component:
1722

@@ -61,17 +66,18 @@ provider available in the Form component:
6166
)
6267
));
6368
64-
The Security component can be configured further, but this is all information it needs
65-
to be able to use CSRF in the login form.
69+
The Security component can be configured further, but this is all information
70+
it needs to be able to use CSRF in the login form.
6671

6772
Rendering the CSRF field
6873
------------------------
6974

70-
Now the Security component checks for CSRF tokens, you have to add a *hidden* field
71-
to the login form containing the CSRF token. By default, this field is named as
72-
``_csrf_token``. That hidden field has to contain the CSRF token, which can be generated
73-
by using the ``csrf_token`` function. That function requires a token ID, which must
74-
be set to ``authenticate`` when using the login form:
75+
Now that Security component will check for the CSRF token, you have to add
76+
a *hidden* field to the login form containing the CSRF token. By default,
77+
this field is named ``_csrf_token``. That hidden field must contain the CSRF
78+
token, which can be generated by using the ``csrf_token`` function. That
79+
function requires a token ID, which must be set to ``authenticate`` when
80+
using the login form:
7581

7682
.. configuration-block::
7783

@@ -162,3 +168,4 @@ After this, you have protected your login form against CSRF attacks.
162168
));
163169
164170
.. _`Cross-site request forgery`: http://en.wikipedia.org/wiki/Cross-site_request_forgery
171+
.. _`Forging Login Requests`: http://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests

0 commit comments

Comments
 (0)