概述 快速入门 教程 手册 最佳实践 组件 参考 贡献

发布于 2015-08-27 16:41:55 | 214 次阅读 | 评论: 0 | 来源: 网络整理

When using a login form, you should make sure that you are protected against CSRF (Cross-site request forgery). The Security component already has built-in support for CSRF. In this article you’ll learn how you can use it in your login form.

注解

Login CSRF attacks are a bit less well-known. See Forging Login Requests if you’re curious about more details.

Configuring CSRF Protection

First, configure the Security component so it can use CSRF protection. The Security component needs a CSRF token provider. You can set this to use the default provider available in the Form component:

  • YAML
    # app/config/security.yml
    security:
        firewalls:
            secured_area:
                # ...
                form_login:
                    # ...
                    csrf_provider: form.csrf_provider
    
  • XML
    <!-- app/config/config.xml -->
    <?xml version="1.0" encoding="UTF-8" ?>
    <srv:container xmlns="http://symfony.com/schema/dic/security"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:srv="http://symfony.com/schema/dic/services"
        xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
    
        <config>
            <firewall name="secured_area">
                <!-- ... -->
    
                <form-login csrf-provider="form.csrf_provider" />
            </firewall>
        </config>
    </srv:container>
    
  • PHP
    // app/config/security.php
    $container->loadFromExtension('security', array(
        'firewalls' => array(
            'secured_area' => array(
                // ...
                'form_login' => array(
                    // ...
                    'csrf_provider' => 'form.csrf_provider',
                )
            )
        )
    ));
    

The Security component can be configured further, but this is all information it needs to be able to use CSRF in the login form.

Rendering the CSRF field

Now that Security component will check for the CSRF token, you have to add a hidden field to the login form containing the CSRF token. By default, this field is named _csrf_token. That hidden field must contain the CSRF token, which can be generated by using the csrf_token function. That function requires a token ID, which must be set to authenticate when using the login form:

  • Twig
    {# src/Acme/SecurityBundle/Resources/views/Security/login.html.twig #}
    
    {# ... #}
    <form action="{{ path('login_check') }}" method="post">
        {# ... the login fields #}
    
        <input type="hidden" name="_csrf_token"
            value="{{ csrf_token('authenticate') }}"
        >
    
        <button type="submit">login</button>
    </form>
    
  • PHP
    <!-- src/Acme/SecurityBundle/Resources/views/Security/login.html.php -->
    
    <!-- ... -->
    <form action="<?php echo $view['router']->generate('login_check') ?>" method="post">
        <!-- ... the login fields -->
    
        <input type="hidden" name="_csrf_token"
            value="<?php echo $view['form']->csrfToken('authenticate') ?>"
        >
    
        <button type="submit">login</button>
    </form>
    

After this, you have protected your login form against CSRF attacks.

小技巧

You can change the name of the field by setting csrf_parameter and change the token ID by setting intention in your configuration:

  • YAML
    # app/config/security.yml
    security:
        firewalls:
            secured_area:
                # ...
                form_login:
                    # ...
                    csrf_parameter: _csrf_security_token
                    intention: a_private_string
    
  • XML
    <!-- app/config/config.xml -->
    <?xml version="1.0" encoding="UTF-8" ?>
    <srv:container xmlns="http://symfony.com/schema/dic/security"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:srv="http://symfony.com/schema/dic/services"
        xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
    
        <config>
            <firewall name="secured_area">
                <!-- ... -->
    
                <form-login csrf-parameter="_csrf_security_token"
                    intention="a_private_string" />
            </firewall>
        </config>
    </srv:container>
    
  • PHP
    // app/config/security.php
    $container->loadFromExtension('security', array(
        'firewalls' => array(
            'secured_area' => array(
                // ...
                'form_login' => array(
                    // ...
                    'csrf_parameter' => '_csrf_security_token',
                    'intention'      => 'a_private_string',
                )
            )
        )
    ));
    
最新网友评论  共有(0)条评论 发布评论 返回顶部

Copyright © 2007-2017 PHPERZ.COM All Rights Reserved   冀ICP备14009818号  版权声明  广告服务