Skip to content
Symfony2 bundle which provides a simple way to add CSRF tokens on routes.
PHP
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Annotation
DependencyInjection
EventListener
Handler
Manager
Model
Resources/config
Routing
.gitignore
CHANGELOG.md
FantoineCsrfRouteBundle.php
LICENSE
README.md
composer.json

README.md

*/!\ This bundle is no more supported and has moved to Genedys/csrf-route-bundle /!*

FantoineCsrfRouteBundle

This Symfony2 bundle provides route annotation and options to secure routes against CSRF attacks and without using forms.

SensioLabsInsight

Installation

Use Composer to install the bundle:

composer require fantoine/csrf-route-bundle '~1.0@dev'

or add the following line in your composer.json file:

    "require": {
        ...
        "fantoine/csrf-route-bundle": "~1.0@dev",
        ...
    }

Then, register the bundle in your application's kernel class:

    // app/AppKernel.php
    public function registerBundles()
    {
        $bundles = array(
            // ...
            new Fantoine\CsrfRouteBundle\FantoineCsrfRouteBundle(),
            // ...
        );
    }

Configuration

Configuration reference :

fantoine_csrf_route:
    enabled: true
    field_name: _token
  • enabled : Enable or disable the token verification (default: true);
  • field_name : The name of the field appended to route URLs (default: _token).

Usage

The only thing to do to use this package is to add some configurations to the routes you want to protect.

The bundle adds a router which can append a token query parameter on route generation and a controller listener validate which validates token on called routes.

Options configuration

The bundle checks controller calls and search for a csrf_token option. The available parameters for this options are:

  • token : The token parameter name (by default _token)
  • intention : The token intention. Different intentions generate different tokens (by default null which results to the route name).
  • methods : The HTTP method(s) when the CSRF token is validated (by default GET).
# app/config/routing.yml
homepage:
    ...
    options:
        - csrf_token: 
            - token: '_token'
            - intention: null
            - methods: [GET]

You can also only specify the csrf_token option to true to use default parameters.

# app/config/routing.yml
homepage:
    ...
    options: { csrf_token: true }

Annotation configuration

If you use annotations to configurate your routes, then the easiest way it to add an additionnal annotation to the sensible actions:

<?php
// src Acme\DemoBundle\Controller\DefaultController.php

// ...
use Fantoine\CsrfRouteBundle\Annotation\CsrfToken;
// ...

class DefaultController {
    // ...
    /**
     * ...
     * @CsrfToken
     */
    public function sensibleAction()
    {
        //...
    }
    // ...
}

Twig integration

As the bundle provides a custom router, CSRF tokens are automatically appended to url generated with path(...) and url(...) on Twig templates.

Routers compatibility

This bundle overrides the default Symfony router. In case you use other bundles which does the same thing (for instance JMSI18nRoutingBundle), the router integrated on this bundle works automatically as an adapter on previously configurated router. The only thing to take care is to register the FantoineCsrfRouterBundle after the bundle which overrides the router.

Credits

Created by Fabien Antoine.

License

This bundle is under the MIT license.

You can’t perform that action at this time.