Search by Algolia
Back to symfony.com

CSRF Protection

Edit this page

CSRF Protection

To prevent CSRF attacks on the two-factor authentication form, you can enable CSRF protection the same way you would do it on the login form.

First, make sure that the CSRF protection is enabled in the main configuration file:

1
2
3
# config/packages/framework.yaml
framework:
    csrf_protection: ~

Then, in the firewall's two_factor security configuration need to enable CSRF:

1
2
3
4
5
6
# config/packages/security.yaml
security:
    firewalls:
        your_firewall_name:
            two_factor:
                enable_csrf: true

Make sure you add the extra field for the CSRF token in the authentication form. The code from the default template will do the job:

1
2
3
{% if isCsrfProtectionEnabled %}
    <input type="hidden" name="{{ csrfParameterName }}" value="{{ csrf_token(csrfTokenId) }}">
{% endif %}

You can change the name of the field by setting csrf_parameter and change the token ID by setting csrf_token_id in your configuration:

1
2
3
4
5
6
7
8
# config/packages/security.yaml
security:
    firewalls:
        your_firewall_name:
            two_factor:
                enable_csrf: true
                csrf_parameter: _csrf_security_token
                csrf_token_id: a_private_string
This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
All in one: from PHP to database, search, security and performance.

All in one: from PHP to database, search, security and performance.

Symfony Code Performance Profiling

Symfony Code Performance Profiling

Peruse our complete Symfony & PHP solutions catalog for your web development needs.

Peruse our complete Symfony & PHP solutions catalog for your web development needs.