Generate new CSRF token without reloading the entire form

Question

If a user gets logged out (due to session expiration or for other reasons) in the background while using my Symfony2 application, I have implemented a JS layer appearing on the screen, allowing the user to log back in immediately and continue using the website.

The problem is, if the user is in the middle of filling a form and gets logged out, after logging back in using the JS layer, he's still looking at the same form with values he already managed to type in, but his session changes. The CSRF token in the form is therefore invalid.

Is there a way to generate a new CSRF token based on the current session and particular form, grab it by AJAX and replace in the form? Or maybe there is other solution to this?

I don't want to disable the CSRF protection.

I don't have enough reputation to comment place a comment on a solution, so I'll do it this way. The answer of thecatontheflat would probably work, but in my opinion that would break the whole concept of a CSRF protection: A bot can simply call the AJAX controller, fetch the token and use that to POST with the form. — vrijdenker, Jul 15 '14 at 13:02

Vitalii Zurian · Accepted Answer · 2015-01-21T08:26:42.173

33

Assuming that you use default CSRF Provider, in your AJAX controller you can get your CSRF Provider service and "ask" it to regenerate token:

Symfony 2.3 (and prior)

/** @var \Symfony\Component\Form\Extension\Csrf\CsrfProvider\SessionCsrfProvider $csrf */
$csrf = $this->get('form.csrf_provider');
$token = $csrf->generateCsrfToken($intention); 

return new Response($token);

Symfony 2.4

/** @var \Symfony\Component\Security\Csrf\CsrfTokenManagerInterface $csrf */
$csrf = $this->get('security.csrf.token_manager');
$token = $csrf->refreshToken($intention);

return new Response($token);

edited Jan 21 '15 at 08:26

answered Jul 24 '12 at 14:10

Vitalii Zurian

17,858
4
64
81

Best solution ! Or you can generate the token in Javascript (its basically a sha1 hash, or you can override the default CsrfProvider to have your own token algo.) ;-) – Thomas Decaux Aug 10 '12 at 11:39
Thank you :) Would be nice if @grzechoo could agree and accept an answer – Vitalii Zurian Aug 10 '12 at 12:22
Sorry for the delay, I was away for a while. Accepted! :) – grzechoo Sep 06 '12 at 09:18
1

Note that as of Symfony2.4 form.csrf_provider is outdated – Bohdan Yurov May 14 '14 at 15:00

score 10 · Answer 2 · answered May 14 '14 at 15:03

Use this to regenerate CSRF token (Since Symfony2.4):

$csrf = $this->get('security.csrf.token_manager'); //Symfony\Component\Security\Csrf\CsrfTokenManagerInterface
$token = $csrf->refreshToken($intention); // Intention is specified in form type

return new Response($token);

score 4 · Answer 3 · answered Oct 23 '14 at 19:52

4

Yes, the bot could fetch an csrf token and post something to the form, but as the token is bound to the session, it doesn't matter. CSRF tokens are not intended to prevent submission of forms by bots.

answered Oct 23 '14 at 19:52

dgtl

41
1

score 1 · Answer 4 · answered Jul 13 '12 at 08:36

1

To me the easier solution is to redirect user on the same form, passing data alredy inserted via POST.
In that way the token will be generated again in an automatic way.
Moreover, you'll not lost data input.

answered Jul 13 '12 at 08:36

DonCallisto

29,419
9
72
100

Thanks, but I'm looking for a more general solution. I currently have a lot of custom validation functionalities, I would have to go through all of my forms one by one and adjust. Not easier at all. – grzechoo Jul 13 '12 at 09:30

Generate new CSRF token without reloading the entire form

4 Answers4

Symfony 2.3 (and prior)

Symfony 2.4

Linked