How to render CSRF input in twig?

Question

I know there's the usual way to render CSRF token hidden input with form_rest, but is there a way to render just CSRF input itself? I've overridden {% block field_widget %} in theme to render a piece of additional text. But as CSRF token is rendered in input field too and I got a piece of text I don't need next to a hidden field. So I'd like to render it separately with an argument that tells it not to render this text.

score 101 · Accepted Answer · answered Sep 20 '11 at 18:16

101

you can do it with {{ form_widget(formView._token) }}

answered Sep 20 '11 at 18:16

Henrik Bjørnskov

1,581
1
12
9

pliashkou · Answer 2 · 2018-08-14T08:33:45.423

55

If you have formView object, you can render it using Twig function:

{{ form_widget(formView._token) }}

If you haven't - you can render token without using form object directly:

<input type="hidden" name="token" value="{{ csrf_token('some-name') }}">

Works in Symfony 2.x and 3.x

To validate the token you can use the following code in your controller (Symfony 3.x):

$submittedToken = $request->request->get('token');

if ($this->isCsrfTokenValid('some-name', $submittedToken)) {
    // ... do something,
}

edited Aug 14 '18 at 08:33

answered Jan 26 '14 at 16:28

pliashkou

4,052
2
31
39

1

Nice to know, sometimes this is very useful feature – Luciano Mammino Oct 08 '14 at 23:19
2

Sorry, did not work for me :( I got "CSRF tokens can only be generated if a CsrfTokenManagerInterface is injected in FormRenderer::__construct()." in Symfony 3.1. But which FormRenderer? I don't want to use any form. – Xover Sep 16 '16 at 14:16
This works for me in Symfony 3.2. although, you made a statement that _'authenticate' is supposed to be the form name_. I don't think this is true. It should always be '**authenticate**' if you are using it for login. Check [official docs](http://symfony.com/doc/current/security/csrf_in_login_form.html) for this. – Niket Pathak Mar 25 '17 at 02:04
1

@NiketPathak Thanks, updated the answer with new information – pliashkou Aug 14 '18 at 08:30

score 21 · Answer 3 · answered Nov 26 '14 at 15:51

21

Or you can just simply use this :

{{ form_row(form._token) }}

This will automatically generate the proper hidden HTML elements, ie the proper HTML structure and field names, according to the type of form you're using.

answered Nov 26 '14 at 15:51

Anass

347
2
6

score 4 · Answer 4 · edited May 23 '17 at 11:47

I needed to render the csrf input inside Twig so that I could use it for Delete operations. Using {{ csrf_token('authenticate') }} as per @YuryPliashkou's answer gives me the incorrect token (one which is only valid for logins!)

What worked for me was this {{ csrf_token('form') }} which gives me the correct csrf token which I would then pass to my controller via ajax.

<span id="csrf_token" data-token="{{ csrf_token('form') }}"></span> 
// my ajax call
$.ajax({
    url: localhost/admin/product/4545,   // 4545->id of the item to be deleted
    type: 'POST',
    data: {
        "_method": "DELETE",
        "form[_token]": $("#csrf_token").data("token")   // passed csrf token here
    },
    success: function(result) {
        // Do something 
   }
});

Verified its working on Symfony 3.x.

Reference

score 1 · Answer 5 · edited May 23 '17 at 12:18

didn't find solution worked for me, finded and tested and worked for my Simfony3 value="{{ _token }}" in example

     <form name="form" method="post" action="{{ path('blog_show', { 'id': blog.id }) }}">
       <input name="_method" value="DELETE" type="hidden">
       <input class="btn btn-danger" value="Delete" type="submit">
       <input id="form__token" name="form[_token]" value="{{ _token }}" type="hidden">
    </form>

more about scrf can be viewed here: Creating forms manually in Symfony2, but still use its CSRF and isValid() functionalily

How to render CSRF input in twig?

5 Answers5

Linked