CSRF Token handling not longer working in Symfony 5.4 #313
Comments
|
I got hit by this issue too. Composer won't let me dowgrade, complains it can't find a suitable set of dependencies to install. Is there any other suggestion for a workaround? |
|
@benjamintypzwo see Alternative B in the Description for another workaround. |
|
Ah I see, sorry - totally misunderstood this one. |
|
@benjamintypzwo added additional workaround. when you enable recaptcha for your form it currently disables csrf token checks and so can be used as an alternative workaround. |
|
At current state we will disable csrf protection by default, so the form bundle just works out of the box. If somebody want csrf protection it need to be enabled and the ajax loading be implemented: https://github.com/sulu/SuluFormBundle/blob/2.4/UPGRADE.md#240. Alternative there can be |
|
Closing this as we the Symfony HttpCache ESIs behave now similar as Varnish ESIs which make sense so we are not able to fix here and just need to remove the docs about CSRF ESI handling in future when drop support for Symfony 5.3 |
Actual Behavior
CSRF Token handling not longer working in Symfony 5.4. When visiting a site with a CSRF Token. No SessionID Cookie is written.
Expected Behavior
CSRF Token should be loaded and correctly used.
Proposed Solution
Maybe we can analyse how the ESI Content is set to the Cached content and forward the Set-Cookie from the subrequest to the main request. This is something which will only work for Symfony Http Cache.
Workarounds
Workaround A: Downgrade symfony/http-kernel:
Workaround B:
Implement Ajax behaviour for symfony http kernel:
https://github.com/sulu/SuluFormBundle/blob/2.x/Resources/doc/csrf.md#ajax
Workaround C:
Using recaptcha currently disable csrf token for forms.
https://github.com/sulu/SuluFormBundle/blob/2.x/Resources/doc/recaptcha.md
The text was updated successfully, but these errors were encountered: