Invalid CSRF token on my own login form
I'm working on a symfony application using FOSUserBundle. I want to have a dropdown login form in the menubar if i am not authenticated, which have a complete different style that the one under /login.
I'm getting 'Invalid CSRF token'. I'm a complete newbie to symfony2, so maybe i'm making an obvious mistake, but i can't find a solution googling. This is what i tried:
Controller:
<?php
namespace RoiRodriguez\CustomUserBundle\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Security\Core\SecurityContext;
class DefaultController extends Controller {
/**
* Para requests internos, renderiza la barra de navegación.
* No tiene ruta.
*/
public function navigationAction() {
$params = array (
'csrf_token' => '',
'last_username' => ''
);
if ($this->container->get ( 'security.context' )->isGranted ( 'IS_AUTHENTICATED_FULLY' )) {
$session = $this->getRequest ()->getSession ();
$params ['last_username'] = (null === $session) ? '' : $session->get ( SecurityContext::LAST_USERNAME );
$params ['csrf_token'] = $this->container->get ( 'form.csrf_provider' )->generateCsrfToken ( 'authenticate' );
}
return $this->render ( 'CustomUserBundle:Default:navigation.html.twig', $params );
}
}
View:
<ul class="nav navbar-nav navbar-right">
{% if app.user and app.user.isGranted('IS_AUTHENTICATED_FULLY') %}
{% include 'CustomUserBundle:Default:includes/navigation-authenticated.html.twig' %}
{% else %}
{% include 'CustomUserBundle:Default:includes/navigation-notauthenticated.html.twig' with {'csrf_token': csrf_token, 'last_username': last_username} %}
{% endif %}
</ul>
Not authenticated template:
<li><a href="{{ path('fos_user_registration_register') }}">Nueva cuenta</a></li>
<li class="dropdown"><a href="#" class="dropdown-toggle"
data-toggle="dropdown">Ingresar <b class="caret"></b></a>
<div class="dropdown-menu dd-login-form-container">
<!-- login form -->
<form role="form" method="post"
action="{{ path("fos_user_security_check") }}">
<input type="hidden" name="_csrf_token" value="{{ csrf_token }}" />
......
<button type="submit" class="btn btn-primary">Ingresa!</button>
</form>
<!-- end login form -->
<ul>
<li><a href="{{ path('fos_user_resetting_request') }}">¿Has olvidado
tu contraseña?</a></li>
<li><a href="{{ path('fos_user_registration_register') }}">¿Todavía
no tienes una cuenta?</a></li>
</ul>
</div>
</li>
What am i missing? Also: This dropdown menu gets rendered inside /login too, would i have any trouble with generating the token twice there?
Answer
My custom login form was giving me the same issue - 'Invalid CSRF token' - anytime I tried to log in. After going through the documentation for the FOSUserBundle configuration options(FOSUserBundle Configuration Reference), I discovered that the bundle enables a different token manager by default. So I went to my security.yml file and commented out the line specifying a csrf token generator for the login form.
Here is a cross section of my app/config/security.yml file with the configuration specifying the crsf token manager comment out.
security:
.......
firewalls:
........
vendor:
pattern: ^/vendor
form_login:
provider: fos_userbundle
# csrf_token_generator: security.csrf.token_manager
login_path: vendor_login
check_path: vendor_login_check
logout: true
After doing this, my login form started working and I could log in.