10

I am having this strange issue with a fresh Symfony 3.0.1 installation. I generated a new CRUD Controller with a Form PostType which contains an url and a title. Nothing fancy.

The form is rendered as expected. It contains both my url field and title field. Inside the form the hidden input field _token is also rendered.

When submitting this form, i am getting all the time the following error: 

The CSRF token is invalid. Please try to resubmit the form.

So the token is added to the form, it contains a value, i have a constant PHP session cookie value, it is just that this token invalid.

I have searched for other answers but the similar questions are all caused by the absence of a _token input.

This problem also occurs in Symfony 3.0.2/3.0.3.

Pedro Casado
  • 1,705
  • 1
  • 21
  • 43
joostvandriel
  • 107
  • 1
  • 1
  • 7
  • There is no Symfony 3.1. – Wouter J Feb 04 '16 at 18:26
  • 3.1 is the dev-master. Look it up here : https://packagist.org/packages/symfony/symfony#dev-master – joostvandriel Feb 04 '16 at 18:35
  • add some code that creates and processes form – Max P. Feb 04 '16 at 18:49
  • Does it work in 3.0? dev-master is of course a work in progress so it could have errors I suppose. Seems unlikely that this sort of error would have been merged. – Cerad Feb 04 '16 at 19:46
  • Tested on 3.0.2, and there i get the same error. Will add code now. – joostvandriel Feb 05 '16 at 08:43
  • I just set up the FOSUserBundle and when i fill in the register form, i am getting the same CSRF error. So i doubt if this is something in my code. Does CSRF require any other configuration that i am not aware of? – joostvandriel Feb 05 '16 at 08:52
  • 4
    I debugged the application and it turned out that the CsrfTokenManager couldnt store the generated token in to the sessionStorage. Once i fugured this out, i changed the sessions save_path: "%kernel.root_dir%/../var/sessions/%kernel.environment%" to ~. That fixed it. Now i am gonna figure out whats the issue with the old save_path. – joostvandriel Feb 05 '16 at 14:12
  • @yellowmen, check if you var/sessions/ folder has writable permissions – Pedro Casado Mar 10 '16 at 14:21
  • @yellowmen: Changing the setting to default "~" also works for me. I double checked the permissions of the "var/sessions" path. They are writeable for the webserver and also files get created. But they are empty. I think, its a symfony3 bug. – Micronax Mar 21 '16 at 18:15
  • Does someone know if it has been fixed since then in last releases ? – Stphane Apr 29 '16 at 16:58
  • @yellowmen I tried your solution and it didn't work :( what else could it be? I am using the built-in SF server (server:fun), could that be it? – Yes Barry Aug 22 '16 at 20:28
  • @yellowmen it helped me too but I don't know why. In var/sessions symfony created dev directory and put there files. But it didn't work. on prod it works, not on dev. After setting path to ~ it works on dev too. – Tom Jan 17 '18 at 19:22
  • I am having the sample problem on Symfony 3.4.9, the error is only on dev. On prod it works without any problems. On dev CsrfTokenManager couldnt store the generated token in to the sessionStorage. Permission are not a problem in my case. dev and prod have identical permissions. – shobekhan Jul 26 '18 at 10:32

7 Answers7

16

In my case it was that the var/sessions/ folder wasn't writable. The default is var/sessions which is set at config.yml.

session:
    # http://symfony.com/doc/current/reference/configuration/framework.html#handler-id
    handler_id:  session.handler.native_file
    save_path:   "%kernel.root_dir%/../var/sessions/%kernel.environment%"

Make sure you have var/ folders writable.

chmod 775 -R var/sessions/
chmod 775 -R var/log/
chmod 775 -R var/cache/
Pedro Casado
  • 1,705
  • 1
  • 21
  • 43
9

I just had a similar issue with Symfony 3.2

The CSRF token is invalid. Please try to resubmit the form.

After hours, we finally found the issue was related to session.cookie_secure (https):

Our production environment uses https, thus forces cookies to be secured over https. The dev environment used http. After moving the dev from HTTP to HTTPS, problem was fixed.

Shrihari
  • 91
  • 1
  • 2
1

I'm using Symfony 3.2.1 and it's working on one machine but not the other. No idea why.

@Shrihari his answer led me to the following solution.

My project also has cookie_secure: true. I updated config_dev.yml and added cookie_secure: false to the file. 

framework:
    session:
        cookie_secure: false

This worked for me.

ar34z
  • 2,609
  • 2
  • 24
  • 37
0

It seems to be a bug in symfony version >3.0, <3.0.3.

As @yellowmen pointed out, changing the framework.session.save_path in the config.yml fixes the problem.

Micronax
  • 660
  • 13
  • 25
  • I have 3.1.3 and this is happening to me, none of these solutions worked. Is it a problem with using `server:run`? – Yes Barry Aug 23 '16 at 02:31
0

The bug is also present in 3.0.4. save_path: ~ worked for me.

sgaith
  • 111
  • 1
  • 2
0

I experienced a similar problem with Symfony 4.2 when switching from dev to test environment.

I had the following setting in my framework.yaml file:

framework:
    session:
        storage_id: session.storage.mock_file

Solution:

Removing the storage_id: session.storage.mock_file-setting solved the problem.

Important: You probably have to clear the cache for this to take effect.

For more information about the storage_id-configuration option also see here.

Alex
  • 569
  • 5
  • 21
0

I had the same on env=dev but not on preprod (symfony 4.4)

--Solution--

There was missing sessions dir in the root I have created one then the problem solved.

cheers

Theva
  • 873
  • 8
  • 15