From 3851c770489120f8e05190e1594b3f66ab310970 Mon Sep 17 00:00:00 2001 From: Raistlfiren Date: Tue, 1 Dec 2015 09:17:18 -0600 Subject: [PATCH 1/3] Updated csrf_in_login_form.rst to include csrf_token_id and csrf_token_generator Updated CSRF documentation to rename intention and csrf_provider. They were renamed in SF 3.0 to csrf_token_id and csrf_token_generator. --- cookbook/security/csrf_in_login_form.rst | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/cookbook/security/csrf_in_login_form.rst b/cookbook/security/csrf_in_login_form.rst index 5853bbec647..1634a15383c 100644 --- a/cookbook/security/csrf_in_login_form.rst +++ b/cookbook/security/csrf_in_login_form.rst @@ -13,6 +13,10 @@ for CSRF. In this article you'll learn how you can use it in your login form. Login CSRF attacks are a bit less well-known. See `Forging Login Requests`_ if you're curious about more details. +.. note:: + + Since SF 2.8 ``intention`` has been depreciated, and removed in SF 3.0. It is now labeled as ``csrf_token_id``. ``csrf_provider`` was changed in SF 3.0 to ``csrf_token_generator``. + Configuring CSRF Protection --------------------------- @@ -33,7 +37,9 @@ provider available in the Security component: # ... form_login: # ... - csrf_provider: security.csrf.token_manager + # Use csrf_provider in SF <2.8 + # csrf_provider: security.csrf.token_manager + csrf_token_generator: security.csrf.token_manager .. code-block:: xml @@ -66,7 +72,9 @@ provider available in the Security component: // ... 'form_login' => array( // ... - 'csrf_provider' => 'security.csrf.token_manager', + // Use csrf_provider in SF <2.8 + // 'csrf_provider' => 'security.csrf.token_manager', + 'csrf_token_generator' => 'security.csrf.token_manager', ), ), ), @@ -124,7 +132,7 @@ After this, you have protected your login form against CSRF attacks. .. tip:: You can change the name of the field by setting ``csrf_parameter`` and change - the token ID by setting ``intention`` in your configuration: + the token ID by setting ``csrf_token_id`` ~~``intention``~~ in your configuration: .. configuration-block:: @@ -140,7 +148,8 @@ After this, you have protected your login form against CSRF attacks. form_login: # ... csrf_parameter: _csrf_security_token - intention: a_private_string + # intention: a_private_string + csrf_token_id: a_private_string .. code-block:: xml @@ -158,7 +167,8 @@ After this, you have protected your login form against CSRF attacks. + csrf_token_id="a_private_string" /> @@ -176,7 +186,8 @@ After this, you have protected your login form against CSRF attacks. 'form_login' => array( // ... 'csrf_parameter' => '_csrf_security_token', - 'intention' => 'a_private_string', + 'csrf_token_id' => 'a_private_string' + // 'intention' => 'a_private_string', ), ), ), From b223c489f9e56f79dfba75e21fc271e4d37ebc2e Mon Sep 17 00:00:00 2001 From: Aaron Valandra Date: Wed, 2 Dec 2015 09:00:24 -0600 Subject: [PATCH 2/3] Updated documentation as requested by @stof and @xabbuh --- cookbook/security/csrf_in_login_form.rst | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/cookbook/security/csrf_in_login_form.rst b/cookbook/security/csrf_in_login_form.rst index 1634a15383c..c0514553613 100644 --- a/cookbook/security/csrf_in_login_form.rst +++ b/cookbook/security/csrf_in_login_form.rst @@ -13,10 +13,6 @@ for CSRF. In this article you'll learn how you can use it in your login form. Login CSRF attacks are a bit less well-known. See `Forging Login Requests`_ if you're curious about more details. -.. note:: - - Since SF 2.8 ``intention`` has been depreciated, and removed in SF 3.0. It is now labeled as ``csrf_token_id``. ``csrf_provider`` was changed in SF 3.0 to ``csrf_token_generator``. - Configuring CSRF Protection --------------------------- @@ -37,8 +33,6 @@ provider available in the Security component: # ... form_login: # ... - # Use csrf_provider in SF <2.8 - # csrf_provider: security.csrf.token_manager csrf_token_generator: security.csrf.token_manager .. code-block:: xml @@ -72,8 +66,6 @@ provider available in the Security component: // ... 'form_login' => array( // ... - // Use csrf_provider in SF <2.8 - // 'csrf_provider' => 'security.csrf.token_manager', 'csrf_token_generator' => 'security.csrf.token_manager', ), ), @@ -132,7 +124,7 @@ After this, you have protected your login form against CSRF attacks. .. tip:: You can change the name of the field by setting ``csrf_parameter`` and change - the token ID by setting ``csrf_token_id`` ~~``intention``~~ in your configuration: + the token ID by setting ``csrf_token_id`` in your configuration: .. configuration-block:: @@ -148,7 +140,6 @@ After this, you have protected your login form against CSRF attacks. form_login: # ... csrf_parameter: _csrf_security_token - # intention: a_private_string csrf_token_id: a_private_string .. code-block:: xml @@ -167,7 +158,6 @@ After this, you have protected your login form against CSRF attacks. csrf_token_id="a_private_string" /> @@ -187,11 +177,15 @@ After this, you have protected your login form against CSRF attacks. // ... 'csrf_parameter' => '_csrf_security_token', 'csrf_token_id' => 'a_private_string' - // 'intention' => 'a_private_string', ), ), ), )); +versionadded:: 2.8 + The ``intention`` and ``csrf_token_generator`` options were introduced + in Symfony 2.8. Prior, you had to use the ``csrf_token_id`` and ``csrf_provider`` + options. + .. _`Cross-site request forgery`: https://en.wikipedia.org/wiki/Cross-site_request_forgery .. _`Forging Login Requests`: https://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests From 07e9f9fa4888ff809672e54f181dff93cbe1d687 Mon Sep 17 00:00:00 2001 From: Aaron Valandra Date: Wed, 2 Dec 2015 09:11:56 -0600 Subject: [PATCH 3/3] Improper markdown for versionadded. --- cookbook/security/csrf_in_login_form.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbook/security/csrf_in_login_form.rst b/cookbook/security/csrf_in_login_form.rst index c0514553613..79d3455fb2f 100644 --- a/cookbook/security/csrf_in_login_form.rst +++ b/cookbook/security/csrf_in_login_form.rst @@ -182,7 +182,7 @@ After this, you have protected your login form against CSRF attacks. ), )); -versionadded:: 2.8 +.. versionadded:: 2.8 The ``intention`` and ``csrf_token_generator`` options were introduced in Symfony 2.8. Prior, you had to use the ``csrf_token_id`` and ``csrf_provider`` options.