feature #57 Add CSRF protection for login form (xelaris)

This PR was merged into the master branch. Discussion ---------- Add CSRF protection for login form Commits ------- a95a5f9 Add CSRF protection for login form
symfony · Apr 24, 2015 · 7e201d2 · 7e201d2
2 parents cd2d222 + a95a5f9
commit 7e201d2
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/app/Resources/views/security/login.html.twig b/app/Resources/views/security/login.html.twig
@@ -23,6 +23,7 @@
                             <label for="password">Password:</label>
                             <input type="password" id="password" name="_password" class="form-control" />
                         </div>
+                        <input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}"/>
                         <button type="submit" class="btn btn-primary">
                             <i class="fa fa-sign-in"></i> Sign in
                         </button>

diff --git a/app/config/security.yml b/app/config/security.yml
@@ -29,6 +29,9 @@ security:
                 # The name of the route where the login form lives
                 # When the user tries to access a protected page, they are redirected here
                 login_path: security_login_form
+                # Secure the login form against CSRF
+                # Reference: http://symfony.com/doc/current/cookbook/security/csrf_in_login_form.html
+                csrf_provider: security.csrf.token_manager
 
             logout:
                 # The route name the user can go to in order to logout