From 0bfdde5de7b00cdbc06e2406885c5e5195281cb4 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Thu, 21 Feb 2019 09:59:31 +0100 Subject: [PATCH 1/3] Documented the logout CSRF options --- reference/configuration/security.rst | 26 ++++++++++++++++++++++++++ security/csrf.rst | 3 ++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/reference/configuration/security.rst b/reference/configuration/security.rst index c33f89d94e8..1ae3c5622ab 100644 --- a/reference/configuration/security.rst +++ b/reference/configuration/security.rst @@ -181,6 +181,32 @@ success_handler The service ID used for handling a successful logout. The service must implement :class:`Symfony\\Component\\Security\\Http\\Logout\\LogoutSuccessHandlerInterface`. +.. _reference-security-logout-csrf: + +csrf_parameter +~~~~~~~~~~~~~~ + +**type**: ``string`` **default**: ``'_csrf_token'`` + +The name of the parameter that stores the CSRK token value. + +csrf_token_generator +~~~~~~~~~~~~~~~~~~~~ + +**type**: ``string`` **default**: ``null`` + +The ``id`` of the service used to generate the CSRF tokens. Symfony provides a +default service whose ID is ``security.csrf.token_manager``. + + +csrf_token_id +~~~~~~~~~~~~~ + +**type**: ``string`` **default**: ``'logout'`` + +An arbitrary string used to generate the token value (and check its validity +afterwards). + .. _reference-security-ldap: LDAP functionality diff --git a/security/csrf.rst b/security/csrf.rst index 460aae6d921..cae616f40e6 100644 --- a/security/csrf.rst +++ b/security/csrf.rst @@ -121,7 +121,8 @@ CSRF Protection in Login Forms ------------------------------ See :doc:`/security/form_login_setup` for a login form that is protected from -CSRF attacks. +CSRF attacks. You can also configure the +:ref:`CSRF protection for the logout action `_. .. _csrf-protection-in-html-forms: From a7f1db34116b0ad7ad9db203236568d6ef111668 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Thu, 21 Feb 2019 10:08:22 +0100 Subject: [PATCH 2/3] - --- security/csrf.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/csrf.rst b/security/csrf.rst index cae616f40e6..1cb195045b6 100644 --- a/security/csrf.rst +++ b/security/csrf.rst @@ -122,7 +122,7 @@ CSRF Protection in Login Forms See :doc:`/security/form_login_setup` for a login form that is protected from CSRF attacks. You can also configure the -:ref:`CSRF protection for the logout action `_. +:ref:`CSRF protection for the logout action `. .. _csrf-protection-in-html-forms: From 8552966bcc91c8da52ae49e83ca3f08585140b87 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Fri, 22 Feb 2019 09:04:09 +0100 Subject: [PATCH 3/3] Tweaks --- reference/configuration/security.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/reference/configuration/security.rst b/reference/configuration/security.rst index 1ae3c5622ab..249a608966f 100644 --- a/reference/configuration/security.rst +++ b/reference/configuration/security.rst @@ -188,7 +188,7 @@ csrf_parameter **type**: ``string`` **default**: ``'_csrf_token'`` -The name of the parameter that stores the CSRK token value. +The name of the parameter that stores the CSRF token value. csrf_token_generator ~~~~~~~~~~~~~~~~~~~~ @@ -198,7 +198,6 @@ csrf_token_generator The ``id`` of the service used to generate the CSRF tokens. Symfony provides a default service whose ID is ``security.csrf.token_manager``. - csrf_token_id ~~~~~~~~~~~~~