Skip to content

Latest commit

 

History

History
47 lines (38 loc) · 1.28 KB

csrf_protection.md

File metadata and controls

47 lines (38 loc) · 1.28 KB

CSRF Protection

To prevent CSRF attacks on the two-factor authentication form, you can enable CSRF protection the same way you would do it on the login form.

First, make sure that the CSRF protection is enabled in the main configuration file:

# app/config/config.yml
framework:
    csrf_protection: ~

Then, the two_factor security configuration needs a a CSRF token provider. You can set this to use the default provider available in the security component:

# app/config/security.yml
security:
    firewalls:
        secured_area:
            two_factor:
                csrf_token_generator: security.csrf.token_manager

Make sure you add the extra field for the CSRF token in the authentication form. The code from the default template will do the job:

{% if isCsrfProtectionEnabled %}
    <input type="hidden" name="{{ csrfParameterName }}" value="{{ csrf_token(csrfTokenId) }}">
{% endif %}

You can change the name of the field by setting csrf_parameter and change the token ID by setting csrf_token_id in your configuration:

# app/config/security.yml
security:
    firewalls:
        secured_area:
            two_factor:
                csrf_parameter: _csrf_security_token
                csrf_token_id: a_private_string