Skip to content

Using CSRF Protection in the Login Form

Warning: You are browsing the documentation for Symfony 3.x, which is no longer maintained.

Read the updated version of this page for Symfony 7.2 (the current stable version).

When using a login form, you should make sure that you are protected against CSRF (Cross-site request forgery). The Security component already has built-in support for CSRF. In this article you'll learn how you can use it in your login form.

Note

Login CSRF attacks are a bit less well-known. See Forging Login Requests if you're curious about more details.

Configuring CSRF Protection

First, make sure that the CSRF protection is enabled in the main configuration file:

1
2
3
4
# app/config/config.yml
framework:
    # ...
    csrf_protection: ~

Then, the security component needs a CSRF token provider. You can set this to use the default provider available in the security component:

1
2
3
4
5
6
7
8
9
10
# app/config/security.yml
security:
    # ...

    firewalls:
        secured_area:
            # ...
            form_login:
                # ...
                csrf_token_generator: security.csrf.token_manager

The Security component can be configured further, but this is all information it needs to be able to use CSRF in the login form.

Tip

If you're using a Guard Authenticator, you'll need to validate the CSRF token manually inside of that class. See How to Create a Custom Authentication System with Guard for details.

Rendering the CSRF field

Now that Security component will check for the CSRF token, you have to add a hidden field to the login form containing the CSRF token. By default, this field is named _csrf_token. That hidden field must contain the CSRF token, which can be generated by using the csrf_token() function. That function requires a token ID, which must be set to authenticate when using the login form:

1
2
3
4
5
6
7
8
9
10
11
12
{# src/AppBundle/Resources/views/Security/login.html.twig #}

{# ... #}
<form action="{{ path('login') }}" method="post">
    {# ... the login fields #}

    <input type="hidden" name="_csrf_token"
        value="{{ csrf_token('authenticate') }}"
    >

    <button type="submit">login</button>
</form>

After this, you have protected your login form against CSRF attacks.

Tip

You can change the name of the field by setting csrf_parameter and change the token ID by setting csrf_token_id in your configuration:

1
2
3
4
5
6
7
8
9
10
11
# app/config/security.yml
security:
    # ...

    firewalls:
        secured_area:
            # ...
            form_login:
                # ...
                csrf_parameter: _csrf_security_token
                csrf_token_id: a_private_string
This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
TOC
    Version