From fafa019f6e14e2d182cc6eb0aee6aa32f6c5ebd4 Mon Sep 17 00:00:00 2001
From: Zbigniew Czapran <zczapran@gmail.com>
Date: Wed, 11 Dec 2013 17:10:39 +0100
Subject: [PATCH 1/7] [Book][Validation] validate method in Validator returns
 ContraintViolationList object not an array

---
 book/validation.rst | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/book/validation.rst b/book/validation.rst
index 6941d357465..3943464fd16 100644
--- a/book/validation.rst
+++ b/book/validation.rst
@@ -113,8 +113,9 @@ Next, to actually validate an ``Author`` object, use the ``validate`` method
 on the ``validator`` service (class :class:`Symfony\\Component\\Validator\\Validator`).
 The job of the ``validator`` is easy: to read the constraints (i.e. rules)
 of a class and verify whether or not the data on the object satisfies those
-constraints. If validation fails, an array of errors is returned. Take this
-simple example from inside a controller::
+constraints. If validation fails, a non-empty list
+(class :class:`Symfony\\Component\\Validator\\ConstraintViolationList`) of errors
+is returned. Take this simple example from inside a controller::
 
     // ...
     use Symfony\Component\HttpFoundation\Response;

From add83894174ee24bf8edbf33910f15c4b0c2c4f3 Mon Sep 17 00:00:00 2001
From: Zbigniew Czapran <zczapran@gmail.com>
Date: Wed, 11 Dec 2013 17:32:17 +0100
Subject: [PATCH 2/7] applies WouterJ suggestion

---
 book/validation.rst | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/book/validation.rst b/book/validation.rst
index 3943464fd16..ac4bacfdbd3 100644
--- a/book/validation.rst
+++ b/book/validation.rst
@@ -113,9 +113,9 @@ Next, to actually validate an ``Author`` object, use the ``validate`` method
 on the ``validator`` service (class :class:`Symfony\\Component\\Validator\\Validator`).
 The job of the ``validator`` is easy: to read the constraints (i.e. rules)
 of a class and verify whether or not the data on the object satisfies those
-constraints. If validation fails, a non-empty list
-(class :class:`Symfony\\Component\\Validator\\ConstraintViolationList`) of errors
-is returned. Take this simple example from inside a controller::
+constraints. If validation fails, a non-empty list of errors
+(class :class:`Symfony\\Component\\Validator\\ConstraintViolationList`) is
+returned. Take this simple example from inside a controller:
 
     // ...
     use Symfony\Component\HttpFoundation\Response;

From 7d87c7b415f0d2065ed6279a0b694ea253f99812 Mon Sep 17 00:00:00 2001
From: Wouter J <waldio.webdesign@gmail.com>
Date: Sat, 14 Dec 2013 13:39:09 +0100
Subject: [PATCH 3/7] Small fixes

---
 book/security.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/book/security.rst b/book/security.rst
index 9977e7754cc..0d959cf2e4d 100644
--- a/book/security.rst
+++ b/book/security.rst
@@ -319,7 +319,7 @@ First, enable form login under your firewall:
             <config>
                 <firewall name="secured_area" pattern="^/">
                     <anonymous />
-                    <form-login login_path="login" check_path="login_check" />
+                    <form-login login-path="login" check-path="login_check" />
                 </firewall>
             </config>
         </srv:container>

From 114974023cc78da6c586c7456f111e96704e530d Mon Sep 17 00:00:00 2001
From: Wouter J <waldio.webdesign@gmail.com>
Date: Sat, 14 Dec 2013 13:39:37 +0100
Subject: [PATCH 4/7] Documented CSRF protection in login forms

---
 cookbook/security/csrf_in_login_form.rst | 115 +++++++++++++++++++++++
 1 file changed, 115 insertions(+)
 create mode 100644 cookbook/security/csrf_in_login_form.rst

diff --git a/cookbook/security/csrf_in_login_form.rst b/cookbook/security/csrf_in_login_form.rst
new file mode 100644
index 00000000000..b3734f71ee6
--- /dev/null
+++ b/cookbook/security/csrf_in_login_form.rst
@@ -0,0 +1,115 @@
+.. index::
+    single: Security; CSRF in the Login Form
+
+Using CSRF in the Login Form
+============================
+
+When using a login form, you should make sure that you are protected for CSRF
+(`Cross-site request forgery`_). The Security component already has build-in support
+form CSRF. In this article, you'll learn how you can use it in your login form.
+
+Configuring CSRF
+----------------
+
+At first, you have to configure the security component so it can use CSRF protection.
+The security component needs a CSRF provider. You can set this to use the default
+provider provided by the Form component:
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # app/config/security.yml
+        security:
+            firewalls:
+                secured_area:
+                    # ...
+                    form_login:
+                        # ...
+                        csrf_provider: form.csrf_provider
+
+    .. code-block:: xml
+
+        <!-- app/config/config.xml -->
+        <?xml version="1.0" encoding="UTF-8" ?>
+        <srv:container xmlns="http://symfony.com/schema/dic/security"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:srv="http://symfony.com/schema/dic/services"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
+
+            <config>
+                <firewall name="secured_area">
+                    <!-- ... -->
+
+                    <form-login csrf-provider="form.csrf_provider" />
+                </firewall>
+            </config>
+        </srv:container>
+
+    .. code-block:: php
+
+        // app/config/security.php
+        $container->loadFromExtension('security', array(
+            'firewalls' => array(
+                'secured_area' => array(
+                    // ...
+                    'form_login' => array(
+                        // ...
+                        'csrf_provider' => 'form.csrf_provider',
+                    )
+                )
+            )
+        ));
+
+The Security component can be configured further, but this is all information it needs
+to be able to use CSRF in the login form.
+
+Rendering the CSRF field
+------------------------
+
+Now the Security component checks for CSRF tokens, you have to add a *hidden* field
+to the login form containing the CSRF token. By default, this field is named as
+``_csrf_token``. That hidden field has to contain the CSRF token, which can be generated
+by using the ``csrf_token`` function. That function requires a token ID, which is
+must be set to ``authenticate`` when using the login form:
+
+.. configuration-block::
+
+    .. code-block:: html+twig
+
+        {# src/Acme/SecurityBundle/Resources/views/Security/login.html.twig #}
+
+        {# ... #}
+        <form action="{{ path('login_check') }}" method="post">
+            {# ... the login fields #}
+
+            <input type="hidden" name="_csrf_token"
+                value="{{ csrf_token('authenticate') }}"
+            >
+
+            <button type="submit">login</button>
+        </form>
+
+    .. code-block:: html+php
+
+        <!-- src/Acme/SecurityBundle/Resources/views/Security/login.html.php -->
+
+        <!-- ... -->
+        <form action="<?php echo $view['router']->generate('login_check') ?>" method="post">
+            <!-- ... the login fields -->
+
+            <input type="hidden" name="_csrf_token"
+                value="<?php echo $view['form']->csrfToken('authenticate') ?>"
+            >
+
+            <button type="submit">login</button>
+        </form>
+
+After this, you have protected your login form for CSRF attacks.
+
+.. tip::
+
+    You can change the name of the field by setting ``csrf_parameter`` and the token
+    ID by setting ``intention`` in your configuration.
+
+.. _`Cross-site request forgery`: http://en.wikipedia.org/wiki/Cross-site_request_forgery

From 7f4b3e8ded568f1729a045c7bb9887330c1e31d1 Mon Sep 17 00:00:00 2001
From: Wouter J <waldio.webdesign@gmail.com>
Date: Sat, 14 Dec 2013 13:40:59 +0100
Subject: [PATCH 5/7] Added references

---
 book/security.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/book/security.rst b/book/security.rst
index 0d959cf2e4d..35d27275ba8 100644
--- a/book/security.rst
+++ b/book/security.rst
@@ -519,6 +519,11 @@ Finally, create the corresponding template:
             <button type="submit">login</button>
         </form>
 
+.. caution::
+
+    This login form is currently not protected against CSRF attacks. Read
+    :doc:`/cookbook/security/csrf_in_login_form` on how to protect your login form.
+
 .. tip::
 
     The ``error`` variable passed into the template is an instance of

From 3a073d53f68de971fa766a98a81ae65e0eac0299 Mon Sep 17 00:00:00 2001
From: Wouter J <waldio.webdesign@gmail.com>
Date: Sun, 15 Dec 2013 15:57:44 +0100
Subject: [PATCH 6/7] Fixed comments

---
 cookbook/security/csrf_in_login_form.rst | 71 ++++++++++++++++++++----
 1 file changed, 60 insertions(+), 11 deletions(-)

diff --git a/cookbook/security/csrf_in_login_form.rst b/cookbook/security/csrf_in_login_form.rst
index b3734f71ee6..74a4527af31 100644
--- a/cookbook/security/csrf_in_login_form.rst
+++ b/cookbook/security/csrf_in_login_form.rst
@@ -4,16 +4,16 @@
 Using CSRF in the Login Form
 ============================
 
-When using a login form, you should make sure that you are protected for CSRF
-(`Cross-site request forgery`_). The Security component already has build-in support
-form CSRF. In this article, you'll learn how you can use it in your login form.
+When using a login form, you should make sure that you are protected against CSRF
+(`Cross-site request forgery`_). The Security component already has built-in support
+for CSRF. In this article you'll learn how you can use it in your login form.
 
 Configuring CSRF
 ----------------
 
-At first, you have to configure the security component so it can use CSRF protection.
-The security component needs a CSRF provider. You can set this to use the default
-provider provided by the Form component:
+At first, you have to configure the Security component so it can use CSRF protection.
+The Security component needs a CSRF provider. You can set this to use the default
+provider available in the Form component:
 
 .. configuration-block::
 
@@ -70,8 +70,8 @@ Rendering the CSRF field
 Now the Security component checks for CSRF tokens, you have to add a *hidden* field
 to the login form containing the CSRF token. By default, this field is named as
 ``_csrf_token``. That hidden field has to contain the CSRF token, which can be generated
-by using the ``csrf_token`` function. That function requires a token ID, which is
-must be set to ``authenticate`` when using the login form:
+by using the ``csrf_token`` function. That function requires a token ID, which must
+be set to ``authenticate`` when using the login form:
 
 .. configuration-block::
 
@@ -105,11 +105,60 @@ must be set to ``authenticate`` when using the login form:
             <button type="submit">login</button>
         </form>
 
-After this, you have protected your login form for CSRF attacks.
+After this, you have protected your login form against CSRF attacks.
 
 .. tip::
 
-    You can change the name of the field by setting ``csrf_parameter`` and the token
-    ID by setting ``intention`` in your configuration.
+    You can change the name of the field by setting ``csrf_parameter`` and change
+    the token ID by setting ``intention`` in your configuration:
+
+    .. configuration-block::
+
+        .. code-block:: yaml
+
+            # app/config/security.yml
+            security:
+                firewalls:
+                    secured_area:
+                        # ...
+                        form_login:
+                            # ...
+                            csrf_parameter: _csrf_security_token
+                            intention: a_private_string
+
+        .. code-block:: xml
+
+            <!-- app/config/config.xml -->
+            <?xml version="1.0" encoding="UTF-8" ?>
+            <srv:container xmlns="http://symfony.com/schema/dic/security"
+                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                xmlns:srv="http://symfony.com/schema/dic/services"
+                xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
+
+                <config>
+                    <firewall name="secured_area">
+                        <!-- ... -->
+
+                        <form-login csrf-parameter="_csrf_security_token"
+                            intention="a_private_string" />
+                    </firewall>
+                </config>
+            </srv:container>
+
+        .. code-block:: php
+
+            // app/config/security.php
+            $container->loadFromExtension('security', array(
+                'firewalls' => array(
+                    'secured_area' => array(
+                        // ...
+                        'form_login' => array(
+                            // ...
+                            'csrf_parameter' => '_csrf_security_token',
+                            'intention'      => 'a_private_string',
+                        )
+                    )
+                )
+            ));
 
 .. _`Cross-site request forgery`: http://en.wikipedia.org/wiki/Cross-site_request_forgery

From d1e6b4fd813984d8215ae0efed26a9fe50066cd2 Mon Sep 17 00:00:00 2001
From: Wouter J <waldio.webdesign@gmail.com>
Date: Mon, 16 Dec 2013 07:55:24 +0100
Subject: [PATCH 7/7] Updated toctree and index

---
 cookbook/map.rst.inc        | 1 +
 cookbook/security/index.rst | 1 +
 2 files changed, 2 insertions(+)

diff --git a/cookbook/map.rst.inc b/cookbook/map.rst.inc
index 9c8260fd929..924d8ece8cc 100644
--- a/cookbook/map.rst.inc
+++ b/cookbook/map.rst.inc
@@ -133,6 +133,7 @@
   * :doc:`/cookbook/security/custom_provider`
   * :doc:`/cookbook/security/custom_authentication_provider`
   * :doc:`/cookbook/security/target_path`
+  * :doc:`/cookbook/security/csrf_in_login_form`
 
 * **Serializer**
 
diff --git a/cookbook/security/index.rst b/cookbook/security/index.rst
index a8edbdc4317..c2623bcde64 100644
--- a/cookbook/security/index.rst
+++ b/cookbook/security/index.rst
@@ -15,3 +15,4 @@ Security
     custom_provider
     custom_authentication_provider
     target_path
+    csrf_in_login_form