drfals1307 2014-03-08 00:14
浏览 1545

要求在所有请求中都存在X-CSRF-Token标头

The default CSRF prevention in Symfony is form-based (which happens automatically if you use the provided form builder). However, for AJAX requests it is tedious to manually attach the CSRF token to each HTTP request and then check it manually for each request.

A good approach would be to embed the token as an HTTP header, as suggested in the comments of this question. jQuery can then be configured to include this header on each request as described here.

My question is how best to handle this within Symfony? I can include the CSRF token in each page using Twig, but how do I check incoming requests to ensure that each request contains a valid token in the header?

I'm aware of how to access the HTTP headers using $request->headers->get('X-CSRF-Token') from within a controller, but that still means having to perform this check within each controller individually. Whereabouts should I add this check so that it is caught as early as possible?

  • 写回答

1条回答 默认 最新

  • dsbpaqt61965 2014-03-08 01:36
    关注

    Im not 100% sure on this but I would use a BaseFormType and extend that.

    Your base form type will use the form event PRE_SET_DATA listener and take the request look for the header then populate that header into the _token field.

    //FormType
class BaseFormType extends AbstractType
{
    protected $request;

    public function __construct(Request $request)
    {
        $this->request = $request;
    }

    public function buildForm(FormBuilderInterface $builder, array $options)
    {
        $request = $this->request;
        $builder->addEventListener(FormEvents::PRE_SET_DATA, function(FormEvent $event) use($request){
            $token = $request->headers->get('X-CSRF-Token');
            if($token){
                $form = $event->getForm();
                $form->get('_token')->setData($token);
            }
        }
    }
}

    Then all of your FormTypes will extend this:

    //YourCustomFormType
class YourCustomFormType extends BaseFormType
{

    public function buildForm(FormBuilderInterface $builder, array $options)
    {
        parent::buildForm();
        $form->add('name');
    }
}

    Then your controller action

    //Controller
public function sayMyNameAction(Request $request)
{
    $name = new Name();
    $form = $this->createForm(new YourCustomFormType($request),$name);
    if($request->isMethod('POST'))
    {
        $form->handleRequest($request);
        if($form->isValid()){
            return new JsonResponse(array('say':$name->getName()));
        }
    }
}

    Or something along those lines.

    评论

报告相同问题?

悬赏问题

  • ¥15 phython路径名过长报错 不知道什么问题
  • ¥15 深度学习中模型转换该怎么实现
  • ¥15 HLs设计手写数字识别程序编译通不过
  • ¥15 Stata外部命令安装问题求帮助!
  • ¥15 从键盘随机输入A-H中的一串字符串,用七段数码管方法进行绘制。提交代码及运行截图。
  • ¥15 TYPCE母转母,插入认方向
  • ¥15 如何用python向钉钉机器人发送可以放大的图片?
  • ¥15 matlab(相关搜索:紧聚焦)
  • ¥15 基于51单片机的厨房煤气泄露检测报警系统设计
  • ¥15 Arduino无法同时连接多个hx711模块,如何解决?