Description Protection against Cross Site Request Forgeries. Categories Security Forms

Leads

Name	Email
Fabien POTENCIER	moc.tcejorp-ynofmys <<ta>> reicnetop.neibaf

Releases for sf 1.1

Releases for sf 1.0

Copyright (c) 2004-2006 Fabien Potencier

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Ticketing

Go to the ticketing system to view opened tickets or report a bug.

Join this plugin team

Other releases

Release 1.0.1 - 26/06/2007

Release 1.0.0 - 26/06/2007

Installation for sf 1.0

php symfony plugin-install http://plugins.symfony-project.org/sfCSRFPlugin 

PEAR

Download the PEAR package

Repository

Go to the repository: http://svn.symfony-project.com/plugins/sfCSRFPlugin

sfCSRF plugin

The sfCSRFPlugin plugin provides protection against Cross Site Request Forgeries (http://en.wikipedia.org/wiki/Csrf).

This plugin is a backport of a symfony 1.1 native feature.

Installation

• Install the plugin

  symfony plugin-install http://plugins.symfony-project.com/sfCSRFPlugin
  

• Enable the plugin in filters.yml and choose a secret

  csrf:
    class: sfCSRFFilter
    param:
      secret: my$ecret
  

• Clear you cache

  symfony cc
  

Usage

As soon as you enable the plugin in your filters.yml configuration file, you are protected against CSRF attacks.

How does it work?

The CSRF filter automatically adds a hidden field called _csrf_token for every form before the response is sent to the browser. The token value is made of the user session_id and the secret you have configured in the filters.yml file.

When a form is submitted in POST, the CSRF filter checks for the token value. If the token is not present or if the value is not the excepted one, the plugin send a sfException exception.