New in Symfony 7.1: IsCsrfTokenValid Attribute
Contributed by
Yassine Guedidi
in #52961
and #54443.
CSRF (Cross-site Request Forgery) attacks are used by malicious users to make
your legitimate users submit data unknowingly. In Symfony we provide full protection
against CSRF attacks thanks to the SecurityCsrf component.
The following is a common code snippet used in controllers that extend Symfony’s
AbstractController to check that the CSRF token of the form is valid:
use SymfonyBundleFrameworkBundleControllerAbstractController;
use SymfonyComponentHttpFoundationResponse;
use SymfonyComponentHttpKernelExceptionBadRequestHttpException;
class BlogPostController extends AbstractController
{
// …
public function delete(): Response
{
if (!$this->isCsrfTokenValid(‚delete_example‘, $request->request->getString(‚_token‘))) {
throw new BadRequestHttpException(‚This token is invalid‘);
}
// …
}
}
In Symfony 7.1 we’re introducing a new #[IsCsrfTokenValid] attribute to make
this code simpler:
// …
use SymfonyComponentSecurityHttpAttributeIsCsrfTokenValid;
class BlogPostController
{
// …
#[IsCsrfTokenValid(‚delete_example‘, tokenKey: ‚token‘)]
public function delete(): Response
{
// …
}
}
Another common need is to check multiple similar CSRF tokens. For example, in a
listing of blog posts, each one has a slightly different delete form:
{% for post in blog_posts %}
{# … #}
<form action=„{{ path(‚post_delete‘, {post: post.id}) }}„ method=„POST“>
<input type=„hidden“ name=„_token“ value=„{{ csrf_token(‚delete-post-‚ ~ post.id) }}„>
</form>
{% endfor %}
This can also be solved with the #[IsCsrfTokenValid] attribute because it
supports expressions compatible with the ExpressionLanguage component:
// …
use SymfonyComponentExpressionLanguageExpression;
class BlogPostController
{
// …
#[IsCsrfTokenValid(new Expression(‚“delete-post-“ ~ args[„post“].id‘))]
public function delete(Request $request, Post $post): Response
{
// …
}
}
Symfony Blog