Skip to content

Minor rewords in the CSRF docs #10879

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 15, 2019
Merged

Minor rewords in the CSRF docs #10879

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions reference/twig_reference.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,8 @@ form_rest
Renders all fields that have not yet been rendered, more information in
:ref:`the Twig Form reference <reference-forms-twig-rest>`.

.. _reference-twig-function-csrf-token:

csrf_token
~~~~~~~~~~

Expand All @@ -285,10 +287,10 @@ csrf_token
{{ csrf_token(intention) }}

``intention``
**type**: ``string``
**type**: ``string`` - an arbitrary string used to generate the token value.

Renders a CSRF token. Use this function if you want CSRF protection without
creating a form.
Renders a CSRF token. Use this function if you want :doc:`CSRF protection </security/csrf>`
in a regular HTML form not managed by the Symfony Form component.

is_granted
~~~~~~~~~~
Expand Down
20 changes: 13 additions & 7 deletions security/csrf.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,22 +109,28 @@ CSRF Protection in Login Forms
See :doc:`/security/form_login_setup` for a login form that is protected from
CSRF attacks.

CSRF Protection in HTML Forms
-----------------------------
.. _csrf-protection-in-html-forms:

Generating and Checking CSRF Tokens Manually
--------------------------------------------

.. versionadded:: 4.1

In Symfony versions prior to 4.1, CSRF support required installing the
Symfony Form component even if you didn't use it.

It's also possible to add CSRF protection to regular HTML forms not managed by
the Symfony Form component, for example the simple forms used to delete items.
First, use the ``csrf_token()`` function in the Twig template to generate a CSRF
token and store it as a hidden field of the form:
Although Symfony Forms provide automatic CSRF protection by default, you may
need to generate and check CSRF tokens manually for example when using regular
HTML forms not managed by the Symfony Form component.

Consider a simple HTML form created to allow deleting items. First, use the
:ref:`csrf_token() Twig function <reference-twig-function-csrf-token>` to
generate a CSRF token in the template and store it as a hidden form field:

.. code-block:: twig

<form action="{{ url('admin_post_delete', { id: post.id }) }}" method="post">
{# the argument of csrf_token() is an arbitrary value used to generate the token #}
{# the argument of csrf_token() is an arbitrary string used to generate the token #}
<input type="hidden" name="token" value="{{ csrf_token('delete-item') }}" />

<button type="submit">Delete item</button>
Expand Down