[Security] No CSRF in the login form?

[Gregwar]

In the login form of the documentation, there is no CSRF protection.
I think that forcing an user to login may be a security issue in some cases.

Any opinion on that?

[Gregwar]

This kind of thing could be done like the code shown in this accepted PR:
symfony/symfony#3080

[wouterj]

The login form would benefit from a CSRF protection, mostly because people having issues with this. But this topic is too big to talk about in the book chapter, a new article should be created in cookbook/security which talks about this topic. And in the book chapter, in the "Using a Traditional Login Form" section, a .. caution should be added, talking about CSRF and linking to this cookbook article.

Globally speaking, the CSRF is handled by the security system. The only thing you need to do is adding a field and configuring it.

To configure it, you need to set the csrf_provider:

security:
    firewalls:
        secured_area:
            # ...
            login:
                # ...
                csrf_provider: form.csrf_provider

Now, you need to render a field in the form with the name of _csrf_token (this can be changed by setting csrf_parameter) and then generate the csrf (using the csrf_token function seen in symfony/symfony#3080 ) with the id authenticate (this can be changed by the intention setting):

<input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}">

To make things easier, the option have been renamed in 2.4. After the PR is merged, this should be reflected:

• csrf_provider -> csrf_token_provider
• intention -> csrf_token_id