Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
[Security] Added Security\Csrf sub-component with better token generation #6554
Update September 27, 2013
This PR simplifies the CSRF mechanism to generate completely random tokens. A random token is generated once per
Since the CSRF token generator depends on
In the new Security\Csrf sub-component, I tried to improve the naming where I could do so without breaking BC:
IMO we do not need cryptographic safe tokens here.
@mvrhov You're correct, the randomness need not be very cryptographically secure. The CSRF token is already a sub-unit of a randomly generated session ID though even that has some predictive weaknesses (needs better entropy) due to be improved in PHP 5.4.
The options currently in favour are to use openssl_pseudo_random_bytes() under PHP 5.3.4+ or fall back to a (concatenated) token generated using mt_rand(). Neither is, as far as I'm aware, blocking and mt_rand() is better than you'd expect if Suhosin is installed. I think openssl seeds itself using /dev/urandom intelligently (i.e. the non-blocking but lower entropy partner to /dev/random).
Only thing you have to watch for is that openssl's random functions were blocking under Windows due to an openssl bug. This was fixed but you should avoid using openssl_pseudo_random_bytes() under PHP 5.3.3 or less and go straight to mt_rand().
CSRF tokens need to be random - just not as crazily random as if we needed a high value long-term key :P.
I'm currently trying to get this into 2.3. I'm not sure which way to go though:
(a) As is, plus a new parameter
This PR was merged into the master branch. Discussion ---------- [Security] Split the component into 3 sub-components Core, ACL, HTTP | Q | A | ------------- | --- | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #9047, #8848 | License | MIT | Doc PR | - The rationale behind this PR is to be able to use any of the sub components without requiring all the dependencies of the other sub components. Specifically, I'd like to use the core utils for an improved CSRF protection mechanism (#6554). Commits ------- 14e9f46 [Security] removed unneeded hard dependencies in Core 5dbec8a [Security] fixed README files 62bda79 [Security] copied the Resources/ directory to Core/Resources/ 7826781 [Security] Split the component into 3 sub-components Core, ACL, HTTP
I updated this PR now. I deprecated the old CSRF implementation in the Form component and added a new Security CSRF sub-component with a better implementation that depends on Security Core. See the CHANGELOGs in the diff for more information.
I need some feedback regarding the service wiring.
…ger and TokenGenerator (bschussek) This PR was merged into the master branch. Discussion ---------- [Security\Csrf] Split CsrfTokenGenerator into CsrfTokenManager and TokenGenerator | Q | A | ------------- | --- | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #9210 | License | MIT | Doc PR | - This is a follow-up PR of #6554 that splits the CsrfTokenGenerator into two separate classes for generating and managing CSRF tokens. As a consequence, it is now possible to explicitly remove or refresh CSRF tokens if they should be used only once. See #9210 for more information. Commits ------- d4bb5f4 [Security\Csrf] Split CsrfTokenGenerator into CsrfTokenManager and TokenGenerator
…lfiren, Aaron Valandra, xabbuh) This PR was merged into the 2.7 branch. Discussion ---------- csrf_token_generator and csrf_token_id documentation | Q | A | ------------- | --- | Doc fix? | no | New docs? | yes (symfony/symfony#6554, symfony/symfony#9587) | Applies to | 2.4+ | Fixed tickets | #3059, #5942 Commits ------- 304d7a5 finish csrf_token_generator and csrf_token_id docs 3ceb61c Improper markdown for versionadded. 91b5e2e Updated documentation as requested by @stof and @xabbuh 0044aa2 Updated csrf_in_login_form.rst to include csrf_token_id and csrf_token_generator