Symfony: secure link removal with CSRFProtection

Question

Symfony: secure link removal with CSRFProtection

I have a delete link to delete a Comment object by ID /comment/:id/delete

To protect this link, I add the csrf token to the link

 $CSRFTokenForm = new BaseForm(); $link = url_for(..., array('_csrf_token' => $CSRFTokenForm->getCSRFToken()));

and in executeDelete I use the checkCSRFProtection() method and everything works fine.

The only thing is that each comment appears partial, and each partial creates its own BaseForm() to create a token, which is a waste of time, since they are all the same.

Do you have a better idea on how to make it more efficient, for example, using the static getCSRFToken() method or creating a global BaseForm() ?

+6

php symfony1 csrf

tamir Jun 08 '11 at 8:27

source share

3 answers

Yes, this is a jQuery plugin bug. If you use sfJqueryReloadedPlugin - 1.4.3, you need to change the source code of the jQueryHelper file in the plugin directory and put "BaseForm" instead of "sfForm" in the section "csrf => 1" sectuo

+1

Pato córdova Jul 25 '11 at 0:55

source share

With jQuery plugin try:

jq_link_to_remote('comment/' . $comment->getId() . '/delete', array('csrf' => 1))

Found in the source code , and they also do this with an instance of BaseForm.

0

binarious Jun 08 '11 at 9:25

source share

binarious · Accepted Answer · 2011-06-08T08:31:10+0000

Use the SF => delete method. It creates a CSRF token for you:

 <?php echo link_to('comment/' . $comment->getId() . '/delete', array( 'method' => 'delete', 'confirm' => 'Do you really want to delete the comment??', 'title' => 'Delete' ) ); ?>

Symfony: secure link removal with CSRFProtection

More articles: