Development

Changeset 8339

You must first sign up to be able to contribute.

Changeset 8339

Show
Ignore:
Timestamp:
04/07/08 07:40:45 (3 months ago)
Author:
dwhittle
Message:

1.1: removed csrf filter notes

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • doc/branches/1.1/book/06-Inside-the-Controller-Layer.txt

    r8337 r8339  
    868868 
    869869    rendering: ~ 
    870  
    871     #csrf: 
    872     #  class: sfCSRFFilter 
    873     #  param: 
    874     #    secret: my$ecret # change to something unique 
    875  
    876870    web_debug: ~ 
    877871    security:  ~ 
     
    908902>The `enabled: off` parameter works well to disable your own filters, but you can deactivate the default filters via the `settings.yml` file, by modifying the values of the `web_debug`, `use_security`, and `cache` settings. This is because each of the default filters has a `condition` parameter that tests the value of these settings. 
    909903 
    910 **New in symfony 1.1** 
    911  
    912 >**SIDEBAR** 
    913 >The CSRF Filter 
    914 > 
    915 >If you have a closer look at the default `filters.yml` configuration file, you will see a filter named `csrf` which is not enabled by default. The CSRF filter provides protection against Cross Site Request Forgeries (http://en.wikipedia.org/wiki/Csrf). 
    916 >As soon as you enable this filter, you are protected against CSRF attacks. Don't forget to customize the `secret` parameter as this is used to compute a unique token for your forms. 
    917 >The CSRF filter automatically adds a hidden field called `_csrf_token` for every form before the response is sent to the browser. The token value is made of the user `session_id` and the `secret` parameter. 
    918 >When a form is submitted in `POST`, the CSRF filter checks for the token value. If the token is not present or if the value is not the excepted one, it sends a `sfException` exception. 
    919904 
    920905### Building Your Own Filter