CSRF Protection

To prevent CSRF attacks on the two-factor authentication form, you can enable CSRF protection the same way you would do it on the login form.

First, make sure that the CSRF protection is enabled in the main configuration file:

        1
2
3
        # config/packages/framework.yaml
framework:
    csrf_protection: ~
    

Then, in the firewall's two_factor security configuration need to enable CSRF:

        1
2
3
4
5
6
        # config/packages/security.yaml
security:
    firewalls:
        your_firewall_name:
            two_factor:
                enable_csrf: true
    

Make sure you add the extra field for the CSRF token in the authentication form. The code from the default template will do the job:

        1
2
3
        {% if isCsrfProtectionEnabled %}
    <input type="hidden" name="{{ csrfParameterName }}" value="{{ csrf_token(csrfTokenId) }}">
{% endif %}
    

You can change the name of the field by setting csrf_parameter and change the token ID by setting csrf_token_id in your configuration:

        1
2
3
4
5
6
7
8
        # config/packages/security.yaml
security:
    firewalls:
        your_firewall_name:
            two_factor:
                enable_csrf: true
                csrf_parameter: _csrf_security_token
                csrf_token_id: a_private_string
    

If you need to pass the CSRF token in the HTTP header, you can configure the name of the header:

        1
2
3
4
5
6
7
        # config/packages/security.yaml
security:
    firewalls:
        your_firewall_name:
            two_factor:
                enable_csrf: true
                csrf_header: X-CSRF-Token
    

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.

TOC

Version