在Symfony中创建自定义唯一的CSRF令牌 [英] Create custom unique csrf token in Symfony

问题描述

有人知道如何在Symfony中创建唯一的CSRF_token吗？我在security.yml文件中使用了以下配置，并以其形式创建了默认的Symfony CSRF_token。

Do anyone know how can I create unique CSRF_token in Symfony? I used the following config in my security.yml file and in the form it creates the default Symfony CSRF_token.

firewalls:
    login:
        pattern:  ^/demo/secured/login$
        security: false
    docova:
        pattern:     /.*
        form_login:
            login_path: %d.login_path%
            check_path: %d.check_path%
            csrf_provider: form.csrf_provider
            csrf_parameter: _csrf_token
            intention: My_Private_String
            default_target_path: %d.default_target_path%
            success_handler: myproject.security.authentication.success_handler
        logout:
            path:   /MyProject/logout
            target: /MyProject
        anonymous: true
        security: true
        docova: true

在我的登录树枝文件中，我有这个：

and in my login twig file I have this:

<input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}" />

欣赏它。

推荐答案

csrf令牌的生成基于表单的名称和会话ID，因此，csrf对于每个会话的每个表单都是唯一的，如果您希望每个表单真正具有唯一性， d需要基本覆盖创建csrf的方法，并传入一个随机字符串来代替表单名称。然后，您需要保存该随机字符串，并将其与会话ID匹配，以便在提交表单时验证csrf。

the csrf token generation is based on the name of the form and the session id, thus the csrf is unique for each form per session as it is, if you want something truly unique for every form, you'd need to basically override the method that creates the csrf and pass in a randomized string in place of the form name. You'd then need to save that randomized string and match it with the session id so you can validate the csrf when the form is submitted.

这篇关于在Symfony中创建自定义唯一的CSRF令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！