How to get rid of the Invalide CSRF token error

Question

I have a symfony form. Submitting it, I have an error message :

The CSRF token is invalid. Please try to resubmit the form.

I dont know why I have this. I bind request to form after checking the request method is post :

if ($request->getMethod() === 'POST') {
        $form->handleRequest($request);
}

Here is the type of the form.

class PasswordActionType extends AbstractType {
protected $forgotten_password;

public function __construct($forgotten_password) {
    $this->forgotten_password = $forgotten_password;
}

public function buildForm(\Symfony\Component\Form\FormBuilderInterface $builder, array $options) {        
    $builder->add('identifiant', 'text', array('attr' => array('style' => 'width:250px')));

    if(!$this->forgotten_password) {
        $builder->add('ancienMDP', 'password', array(
            'label' => 'Ancien MDP', 
            'attr' => array(
                'class' => 'ligne', 
                'style' => 'width:252px'
        )));
        $builder->add('nouveauMDP', 'repeated', array(
            'type' => 'password',
            'invalid_message' => 'Confirmation différente du nouveau mot de passe',
            'first_options' => array('label' => 'Nouveau MDP'),
            'second_options' => array('label' => 'Confirmer'),
            'options' => array(
                'attr' => array(
                    'class' => 'ligne', 
                    'style' => 'width:252px'
            ))
        ));
    } else {
        $builder->add('ancienMDP', 'hidden', array('error_bubbling' => false, 'data' => 'NULL'));
        $builder->add('nouveauMDP', 'hidden', array('error_bubbling' => false, 'data' => 'NULL'));
    }
}

public function configureOptions(\Symfony\Component\OptionsResolver\OptionsResolver $resolver) {
    $resolver->setDefaults(array(
       'data_class' => 'My\Bundle\Security\PasswordAction',
       'csrf_protection' => true,
       'csrf_field_name' => 'token'
    ));
}

public function getName() {
    return 'cramif_password_action';
}

}

So 2 forms use the same builder. The difference is the value of "forgotten_password".

form1 : forgotten_password = true

the 2 fields 'ancienMDP' and 'NouveauMDP' are hidden html fields

form2: forgotten_password = false

the 2 fields are what u can see.

There is not problem with form1, no CSRF error.

The problem occurs with form2.

Note : the 2 forms are displayed with Twig with the same commands.

Note2 : in the twig template I have a form_rest

Possible duplicate of [The CSRF token is invalid. Please try to resubmit the form](http://stackoverflow.com/questions/23455780/the-csrf-token-is-invalid-please-try-to-resubmit-the-form) — felipsmartins, Jan 29 '16 at 15:37
What isn't the same about it? It looks like exactly the same issue. — Jason Roman, Jan 29 '16 at 15:40
Also, if you do not want CSRF just set the `csrf_protection` option to `false` in `getDefaultOptions()` from form class — felipsmartins, Jan 29 '16 at 15:40
Anyway... There is many duplicated answers here in SO regarding this question. — felipsmartins, Jan 29 '16 at 15:48
the answer is always the same : bind your request after the post and put form_rest... I know — mlwacosmos, Jan 29 '16 at 15:51
You don't need to manually add your CSRF token field in your form builder, or specify that protection is set to true or that the name of the token is `token` - that is all handled for you automatically by Symfony and already contains the default values — Jason Roman, Jan 29 '16 at 16:00
sorry sorry... it was a mistake... check it .. I took it off (I was just trying different things) when I copied — mlwacosmos, Jan 29 '16 at 16:06
I noticed in an earlier edit of your post, in your `form_rest` you had `'render_rest': false`, which will eliminate the CSRF token if you didn't manually do a `form_row(form._token)`, check that as well. — Jason Roman, Jan 29 '16 at 16:09
I am going to delete the post.. I found it.. a session problem. thank to u all — mlwacosmos, Jan 29 '16 at 16:12
Don't delete! Post the answer. It might to happen to another one, IMO. — felipsmartins, Jan 29 '16 at 16:13

score 0 · Accepted Answer · answered Feb 01 '16 at 09:28

0

Just to help people :

If u think u did it right :

bind the request after checking that the form is posted
used form_rest.

Check that you did not invalidate your session. Of course, for the CSRF to work, you need a valid session.

answered Feb 01 '16 at 09:28

mlwacosmos

4,391
16
66
114

How to get rid of the Invalide CSRF token error

1 Answers1