Best IT Recipes

Disable symfony 2 csrf token protection on ajax submit

I am creating a mobile application that talks to my symfony2 application through webservices I cannot find a way to disable csrf protection on a specific controller / action

I want to send registration data to this action and use sf2 form validation. I do not name the form in my mobile application

It is not possible to change the parameters of the container in action, throw an exception, because it is a frozen parameter ...

I do not want to disable form protection for my entire application

any clue?

thank!

update: with symfony 2.1.x

/** * {@inheritdoc} */ public function setDefaultOptions(OptionsResolverInterface $resolver) { $resolver->setDefaults(array( 'csrf_protection' => false, )); }
+42
ajax symfony csrf
Mar 27 '12 at 10:09
source share
5 answers

If you are looking for a slightly easier and faster solution than suggested in the answer above, here's how:

 <?php // ... use Symfony\Component\Form\AbstractType; use Symfony\Component\Form\FormBuilder; use Symfony\Component\OptionsResolver\OptionsResolver; class MyType extends AbstractType { // ... public function configureOptions(OptionsResolver $resolver) { $resolver->setDefaults(array( 'csrf_protection' => false, )); } }

.. or if you are using Symfony 2.0. *:

 <?php // ... use Symfony\Component\Form\AbstractType; use Symfony\Component\Form\FormBuilder; class MyType extends AbstractType { // .... public function getDefaultOptions(array $options) { $options = parent::getDefaultOptions($options); $options['csrf_protection'] = false; return $options; } }

See the Symfony documentation for more information.



Edit: updated answer for latest symfony, thanks naitsirch

+76
Mar 27 '12 at 11:52
source share

Using the factory form

For those who want to create a simple form in the controller:

 $form = $this->container->get('form.factory') ->createNamedBuilder(null, 'form', null, array('csrf_protection' => false)) ->add('yourField','text', array( 'label' => false, 'mapped' => false )) ->getForm();
+18
Jan 10 '14 at 2:30
source share
 public function configureOptions(OptionsResolver $resolver) { $resolver->setDefaults([ 'csrf_protection' => false, ]); }
+4
Jun 24 '16 at 11:29
source share

I can't be 100% sure, but I think I read somewhere that you can pass the csrf_provider option when creating the form.

All providers are subtypes of the Symfony\Component\Form\Extension\Csrf\CsrfProvider , and you should be able to create your own:

 class MyNonCsrfProvider extends DefaultCsrfProvider{ public function isCsrfTokenValid($intention, $token) { return true; } }

and in the controller:

 $this->createForm(new CustomFormType(), array( 'csrf_provider' => new MyNonCsrfProvider() ));

I have not tried this myself, but it seems like a possible solution ...

+1
Mar 27 '12 at 11:20
source share

Using the factory form in Symfony 3

 use Symfony\Component\Form\Extension\Core\Type\FormType; $form = $this->container->get('form.factory') ->createNamedBuilder(null, FormType::class, null, array('csrf_protection' => false)) ->add('yourField','text', array( 'label' => false, 'mapped' => false )) ->getForm();

Adapted from Mika's answer

+1
Jul 25 '16 at 14:30
source share


More articles:


All Articles