除非停用csrf字段,否则我的表单永远无法在本地主机上验证。

它在产品上工作得很好。

我以为它可能来自我的配置:

router.request_context.host: 'localhost:8000'
router.request_context.scheme: 'http'


但是尽管进行了无数次尝试,但我仍无法弄清它的来源。

我的userType.php很基本:

class UserType extends AbstractType
{
    public function buildForm(FormBuilderInterface $builder, array $options)
    {
        // Remember username is email
        $builder
            ->add('firstName', TextType::class, array(
                'required' => true,
            ))
            ->add('lastName', TextType::class, array(
                'required' => true,
            ))
            ->add('email', EmailType::class, array(
                'required' => true,
            ))
            ->add('plainPassword', PasswordType::class, array(
                'required' => true,
            ))
            ->add('save', SubmitType::class, array('label' => 'Create Account'))
        ;
    }

    public function configureOptions(OptionsResolver $resolver)
    {
        $resolver->setDefaults(array(
            'data_class' => User::class,
            // enable/disable CSRF protection for this form
            'csrf_protection' => true,
            // the name of the hidden HTML field that stores the token
            'csrf_field_name' => '_token',
            // an arbitrary string used to generate the value of the token
            // using a different string for each form improves its security
            'csrf_token_id'   => 'user_item'
        ));
    }
}


我在树枝上的表单非常简单:

{{ form_start(form, {'attr': {'id': 'register'}}) }}
    <div class="panel panel-body registration-form">
        <div class="text-center">
            <img style="margin: 20px auto;" src="{{ asset('platform/images/icon-profile.svg') }}"/>
            <h5 class="content-group-lg">ACCOUNT CREATION</h5>
        </div>

        {% for message in app.flashes('error') %}
            <p class="alert alert-danger no-border"><strong>{{ message }}</strong></p>
        {% endfor %}

        <div class="row">
            <div class="col-md-12">
                <div class="form-group has-feedback">
                    {{ form_widget(form.email, {'attr': {'class': '', 'placeholder': "Your Email"}}) }}
                    {#<div class="form-control-feedback">#}
                    {#<i class="icon-mention text-muted"></i>#}
                    {#</div>#}
                    <small class="text-danger">{{ form_errors(form.email) }}</small>
                </div>
            </div>
        </div>

        <div class="row">
            <div class="col-md-6">
                <div class="form-group has-feedback">
                    {{ form_widget(form.firstName, {'attr': {'class': '', 'placeholder': "Your Fist Name"}}) }}
                    {#<div class="form-control-feedback">#}
                    {#<i class="icon-user-check text-muted"></i>#}
                    {#</div>#}
                    <small class="text-danger">{{ form_errors(form.firstName) }}</small>
                </div>
            </div>
            <div class="col-md-6">
                <div class="form-group has-feedback">
                    {{ form_widget(form.lastName, {'attr': {'class': '', 'placeholder': "Your Last Name"}}) }}
                    {#<div class="form-control-feedback">#}
                    {#<i class="icon-user-check text-muted"></i>#}
                    {#</div>#}
                    <small class="text-danger">{{ form_errors(form.lastName) }}</small>
                </div>
            </div>
        </div>

        <div class="row">
            <div class="col-md-12">
                <div class="form-group has-feedback">
                    {{ form_widget(form.plainPassword, {'attr': {'class': '', 'placeholder': "Create Password"}}) }}
                    {#<div class="form-control-feedback">#}
                    {#<i class="icon-user-lock text-muted"></i>#}
                    {#</div>#}
                    <small class="text-danger">{{ form_errors(form.plainPassword) }}</small>
                </div>
            </div>
        </div>

        <div class="form-group help-block">
            <div class="checkbox">
                By clicking on "Create Account" you accept our
                <a href="{{ path('terms') }}">terms of service</a>
            </div>
        </div>

        <div class="text-right">
            {{ form_widget(form.save, {'attr': {'class': 'btn btn-block new-btn new-blue'}} ) }}
{#            <input type="hidden" id="g-recaptcha-response" name="g-recaptcha-response"/>#}
            {#<button name="form[save]" type="submit" class="btn bg-teal-400 btn-labeled btn-labeled-right ml-10"><b><i class="icon-plus3"></i></b> Create account</button>#}
        </div>
    </div>
    {{ form_end(form) }}


由于我使用的是form_startform_end,因此我的csrf令牌字段将使用正确的名称生成。

我也尝试过手动添加输入:

最佳答案

检查您的会话目录是否可写,或者您是否正在使用HTTPS保护cookie,但在本地使用HTTP。

从symfony blog


cookie_secure选项的新默认值为null,这使cookie在请求使用HTTPS时安全,而在请求使用HTTP时不修改它们。在使您的应用“默认为安全”和不破坏任何现有应用之间可以很好地平衡新的行为。


# config/packages/framework.yaml
framework:
    session:
        # improves the security of the cookies used for sessions
        cookie_secure: 'auto'

关于php - CSRF token 在本地主机上始终无效-Symfony 4表单,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/59394134/

10-11 08:39