New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Form] Add csrf_token_lazy
option
#54705
base: 7.1
Are you sure you want to change the base?
Conversation
Hey! I see that this is your first PR. That is great! Welcome! Symfony has a contribution guide which I suggest you to read. In short:
Review the GitHub status checks of your pull request and try to solve the reported issues. If some tests are failing, try to see if they are failing because of this change. When two Symfony core team members approve this change, it will be merged and you will become an official Symfony contributor! I am going to sit back now and wait for the reviews. Cheers! Carsonbot |
Hey! Thanks for your PR. You are targeting branch "7.1" but it seems your PR description refers to branch "7.1 for features". Cheers! Carsonbot |
@chalasr I've decided against implementing an internal controller action for AJAX requests. It's important to note that there's no missing code, as the CSRF token will still be validated by Symfony's FormTypeCsrfExtension in all cases. This mechanism ensures that token validation fails when the token field is an empty string on the form, thereby maintaining security standards. Instead, I suggest providing guidance for developers to determine whether to handle token generation internally or independently. This approach preserves flexibility while mitigating potential risks associated with token handling. I'm open to alternative suggestions regarding the implementation of lazy CSRF-token generation. If you have any ideas on how to address potential risks while maintaining flexibility, I'd love to hear them. Edit: Indeed, achieving lazy CSRF-token generation can be approached in various ways. For developers who prefer not to rely on JavaScript and AJAX requests, an alternative method could involve utilizing form submissions to initiate the required form. For instance, a "show form" button could trigger a form submission to start the required form with the CSRF token initialized. This provides developers with flexibility in choosing the method that best suits their preferences and project requirements. public function buildForm(FormBuilderInterface $builder, array $options): void
{
if($options['csrf_token_lazy']) {
$builder->add('show_form', SubmitType::class);
return;
}
$builder->add('field_name', TextType::class)->add('submit', SubmitType:class);
} |
csrf_token_lazy
option
Description
This pull request introduces
csrf_token_lazy
, a new form option in Symfony. This option allows for deferred CSRF token generation until form submission, aiding in performance optimization and mitigating conflicts with caching mechanisms.Motivation
The necessity for this option arises from the default behavior of Symfony's CSRF protection mechanism, which initiates sessions for token generation. However, in scenarios where caching is employed, this behavior can lead to cache misses or bypasses, impacting application performance adversely. By introducing
csrf_token_lazy
, developers gain the ability to generate tokens only when necessary, thus avoiding unnecessary session starts during form rendering.Functionality
With
csrf_token_lazy
enabled, token generation occurs exclusively during form submission. This ensures that sessions are not initiated unnecessarily during form rendering, thereby maintaining security while optimizing performance, particularly in environments sensitive to caching concerns.Usage
Developers can enable
csrf_token_lazy
in form configurations: