CSRF token error occurs on record creation after applying symfony/security-http security patch

[rafa0805]

Environment

Sonata packages

CSRF token errors occurs when creating a new record throw sonata after updating sonata-project/admin-bundle with dependencies. This issue occurs when applying symfony/security-http security patch released on v5.3.31.

$ composer show --latest 'sonata-project/*'
Color legend:
- patch or minor release available - update recommended
- major release available - update possible
- up to date version

Direct dependencies required in composer.json:
sonata-project/doctrine-orm-admin-bundle 4.15.0 4.15.0 Integrate Doctrine ORM into the SonataAdminBundle

Transitive dependencies not required in composer.json:
sonata-project/admin-bundle              4.29.1 4.29.1 The missing Symfony Admin Generator
sonata-project/block-bundle              5.1.0  5.1.0  Symfony SonataBlockBundle
sonata-project/doctrine-extensions       2.3.0  2.3.0  Doctrine2 behavioral extensions
sonata-project/exporter                  3.3.0  3.3.0  Lightweight Exporter library
sonata-project/form-extensions           2.3.0  2.3.0  Symfony form extensions
sonata-project/twig-extensions           2.4.0  2.4.0  Sonata twig extensions

Symfony packages

$ composer show --latest 'symfony/*'
Color legend:
- patch or minor release available - update recommended
- major release available - update possible
- up to date version

Direct dependencies required in composer.json:
symfony/cache                      v5.4.29 v6.4.0  Provides extended PSR-6, PSR-16 (and tags) implementations
symfony/config                     v5.4.26 v6.4.0  Helps you find, load, combine, autofill and validate configuration...
symfony/console                    v5.4.28 v6.4.1  Eases the creation of beautiful and testable command line interfaces
symfony/debug-bundle               v5.4.26 v6.4.0  Provides a tight integration of the Symfony VarDumper component an...
symfony/dependency-injection       v5.4.29 v6.4.1  Allows you to standardize and centralize the way objects are const...
symfony/error-handler              v5.4.29 v6.4.0  Provides tools to manage errors and ease debugging PHP code
symfony/event-dispatcher           v5.4.26 v6.4.0  Provides tools that allow your application components to communica...
symfony/form                       v5.4.29 v6.4.1  Allows to easily create, process and reuse HTML forms
symfony/framework-bundle           v5.4.29 v6.4.1  Provides a tight integration between Symfony components and the Sy...
symfony/http-client                v5.4.29 v6.4.0  Provides powerful methods to fetch HTTP resources synchronously or...
symfony/http-foundation            v5.4.28 v6.4.0  Defines an object-oriented layer for the HTTP specification
symfony/http-kernel                v5.4.29 v6.4.1  Provides a structured process for converting a Request into a Resp...
symfony/mailer                     v5.4.22 v6.4.0  Helps sending emails
symfony/mime                       v5.4.26 v6.4.0  Allows manipulating MIME messages
symfony/monolog-bundle             v3.8.0  v3.10.0 Symfony MonologBundle
symfony/routing                    v5.4.26 v6.4.1  Maps an HTTP request to a set of configuration variables
symfony/security-bundle            v5.4.31 v6.4.0  Provides a tight integration of the Security component into the Sy...
symfony/sendgrid-mailer            v5.4.23 v6.4.0  Symfony Sendgrid Mailer Bridge
symfony/translation                v5.4.24 v6.4.0  Provides tools to internationalize your application
symfony/twig-bundle                v5.4.27 v6.4.0  Provides a tight integration of Twig into the Symfony full-stack f...
symfony/uid                        v5.4.21 v6.4.0  Provides an object-oriented API to generate and represent UIDs
symfony/validator                  v5.4.29 v6.4.0  Provides tools to validate values
symfony/web-profiler-bundle        v5.4.26 v6.4.0  Provides a development tool that gives detailed information about ...

Transitive dependencies not required in composer.json:
symfony/asset                      v6.4.0  v6.4.0  Manages URL generation and versioning of web assets such as CSS st...
symfony/browser-kit                v6.3.2  v6.4.0  Simulates the behavior of a web browser, allowing you to make requ...
symfony/cache-contracts            v2.5.2  v3.4.0  Generic abstractions related to caching
symfony/css-selector               v5.4.26 v6.4.0  Converts CSS selectors to XPath expressions
symfony/deprecation-contracts      v3.4.0  v3.4.0  A generic function and convention to trigger deprecation notices
symfony/doctrine-bridge            v5.4.31 v6.4.0  Provides integration for Doctrine with various Symfony components
symfony/dom-crawler                v6.3.4  v6.4.0  Eases DOM navigation for HTML and XML documents
symfony/event-dispatcher-contracts v3.4.0  v3.4.0  Generic abstractions related to dispatching event
symfony/expression-language        v6.4.0  v6.4.0  Provides an engine that can compile and evaluate expressions
symfony/filesystem                 v6.3.1  v6.4.0  Provides basic utilities for the filesystem
symfony/finder                     v5.4.27 v6.4.0  Finds files and directories via an intuitive fluent interface
symfony/http-client-contracts      v2.5.2  v3.4.0  Generic abstractions related to HTTP clients
symfony/intl                       v6.3.2  v6.4.0  Provides access to the localization data of the ICU library
symfony/monolog-bridge             v5.4.22 v6.4.0  Provides integration for Monolog with various Symfony components
symfony/options-resolver           v6.4.0  v6.4.0  Provides an improved replacement for the array_replace PHP function
symfony/password-hasher            v6.4.0  v6.4.0  Provides password hashing utilities
symfony/polyfill-ctype             v1.28.0 v1.28.0 Symfony polyfill for ctype functions
symfony/polyfill-intl-grapheme     v1.28.0 v1.28.0 Symfony polyfill for intl's grapheme_* functions
symfony/polyfill-intl-icu          v1.28.0 v1.28.0 Symfony polyfill for intl's ICU-related data and classes
symfony/polyfill-intl-idn          v1.28.0 v1.28.0 Symfony polyfill for intl's idn_to_ascii and idn_to_utf8 functions
symfony/polyfill-intl-normalizer   v1.28.0 v1.28.0 Symfony polyfill for intl's Normalizer class and related functions
symfony/polyfill-mbstring          v1.28.0 v1.28.0 Symfony polyfill for the Mbstring extension
symfony/polyfill-php72             v1.28.0 v1.28.0 Symfony polyfill backporting some PHP 7.2+ features to lower PHP v...
symfony/polyfill-php73             v1.28.0 v1.28.0 Symfony polyfill backporting some PHP 7.3+ features to lower PHP v...
symfony/polyfill-php80             v1.28.0 v1.28.0 Symfony polyfill backporting some PHP 8.0+ features to lower PHP v...
symfony/polyfill-php81             v1.28.0 v1.28.0 Symfony polyfill backporting some PHP 8.1+ features to lower PHP v...
symfony/polyfill-uuid              v1.28.0 v1.28.0 Symfony polyfill for uuid functions
symfony/process                    v6.3.4  v6.4.0  Executes commands in sub-processes
symfony/property-access            v6.4.0  v6.4.0  Provides functions to read and write from/to an object or array us...
symfony/property-info              v6.3.9  v6.4.0  Extracts information about PHP class' properties using metadata of...
symfony/security-acl               v3.3.3  v3.3.3  Symfony Security Component - ACL (Access Control List)
symfony/security-core              v5.4.30 v6.4.0  Symfony Security Component - Core Library
symfony/security-csrf              v6.4.0  v6.4.0  Symfony Security Component - CSRF Library
symfony/security-guard             v5.4.27 v5.4.27 Symfony Security Component - Guard
symfony/security-http              v5.4.31 v6.4.0  Symfony Security Component - HTTP Integration
symfony/serializer                 v6.3.10 v6.4.1  Handles serializing and deserializing data structures, including o...
symfony/service-contracts          v2.5.2  v3.4.0  Generic abstractions related to writing services
symfony/stopwatch                  v6.3.0  v6.4.0  Provides a way to profile code
symfony/string                     v6.4.0  v6.4.0  Provides an object-oriented API to strings and deals with bytes, U...
symfony/translation-contracts      v2.5.2  v3.4.0  Generic abstractions related to translation
symfony/twig-bridge                v5.4.31 v6.4.0  Provides integration for Twig with various Symfony components
symfony/var-dumper                 v6.3.6  v6.4.0  Provides mechanisms for walking through any arbitrary PHP variable
symfony/var-exporter               v6.3.6  v6.4.1  Allows exporting any serializable PHP data structure to plain PHP ...
symfony/yaml                       v5.4.23 v6.4.0  Loads and dumps YAML files

PHP version

$ php -v
PHP 8.1.24 (cli) (built: Oct 12 2023 09:19:15) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.24, Copyright (c) Zend Technologies
    with Xdebug v3.1.4, Copyright (c) 2002-2022, by Derick Rethans

Subject

It seems that latest sonata-project/admin-bundle is not working well with symfony/security-http:v5.3.31 relased at Nov 10.
It works well when fixing symfony/security-http verison to 5.3.30.
Therefore this issue prevents one from applying symfony/security-http security patch released at symfony/security-http:v5.3.31.

Steps to reproduce

• Execute composer update --with-dependencies sonata-project/admin-bundle
• Comfirm that symfony/security-http version is 5.4.31
• Try to create new record through sonata admin

Expected results

No csrf token error when creating record.

Actual results

csrf token error

[VincentLanglet]

Closed in favor of #8015 (comment). There is no need for duplicates issues.

[rafa0805]

Accutually this is not a duplication. This is not same issue since symfony/security-http@v5.4.31 was released in Nov 10, which is quite after #8015 creation.

Isn't there something to be changed in sonata-project/admin-bundler side to keep compatible with symfony/security-http?

Thanks.

[VincentLanglet]

Accutually this is not a duplication. This is not same issue since symfony/security-http@v5.4.31 was released in Nov 10, which is quite after #8015 creation.

If it wasn't the same, you had no reason to re-post your issue there.
Moreover it's the same topic, and you don't really know the root cause ; how can you be sure it's not the same reason ?
There is no need to have one issue per symfony version.

Isn't there something to be changed in sonata-project/admin-bundler side to keep compatible with symfony/security-http?

If there is something to change, that mean Symfony made a BC break/mistake.
Then it's a symfony issue. Did you opened an issue on there side ?

[rafa0805]

If it wasn't the same, you had no reason to re-post your issue there.

Sorry, this is totally my mistake. First I've posted at #8015, but after that I came to think that that was a different issue and then I created a new issue. I shoud have deleted the post I had done at #8015.

If there is something to change, that mean Symfony made a BC break/mistake.

Totally understood. I'll open an issue at symfony side.

Thanks for you time.