Symfony CSRF 和 Ajax
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12054449/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Symfony CSRF and Ajax
提问by peterrus
I am trying to implement some ajax functionality in my Symfony 2 project. Using jquery's $.post I want to send some data back to my controller. However, when I just POST the data no CSRF protection is in place, as symfony's csrf protection only seems to apply to forms.
我正在尝试在我的 Symfony 2 项目中实现一些 ajax 功能。使用 jquery 的 $.post 我想将一些数据发送回我的控制器。但是,当我只是发布数据时,没有 CSRF 保护到位,因为 symfony 的 csrf 保护似乎只适用于表单。
What would be a pretty straightforward way to implement this?
什么是实现这一点的非常简单的方法?
When using forms I can just do $form->isValid() to find out whether or not the CSRF token passes. I am currently placing everything I want to POST in a form and then posting that. Which basically means I am only using that form to implement CSRF protection, which seems hacky.
使用表单时,我只需执行 $form->isValid() 即可确定 CSRF 令牌是否通过。我目前正在将我想发布的所有内容放在表单中,然后发布。这基本上意味着我只使用该表单来实现 CSRF 保护,这似乎很糟糕。
采纳答案by Vitalii Zurian
In Symfony2 CSRF token is based on session by default. If you want to generate it, you just have to get this service and call generation method:
在 Symfony2 中,CSRF 令牌默认基于会话。如果你想生成它,你只需要得到这个服务并调用生成方法:
//Symfony\Component\Form\Extension\Csrf\CsrfProvider\SessionCsrfProvider by default
$csrf = $this->get('form.csrf_provider');
//Intention should be empty string, if you did not define it in parameters
$token = $csrf->generateCsrfToken($intention);
return new Response($token);
This questionmight be useful for you
这个问题可能对你有用
回答by Josh Ribakoff
I had this problem, intermittently. Turned out it was not due to my ajax, but because Silex gives you a deprecated DefaultCsrfProviderwhich uses the session ID itself as part of the token, and I change the ID randomly for security. Instead, explicitly telling it to use the new CsrfTokenManagerfixes it, since that one generates a token and stores it inthe session, such that the session ID can change without affecting the validity of the token.
我有这个问题,间歇性的。原来这不是由于我的 ajax,而是因为 Silex 为您提供了一个已弃用的方法DefaultCsrfProvider,它使用会话 ID 本身作为令牌的一部分,为了安全起见,我随机更改了 ID。相反,明确告诉它使用新的CsrfTokenManager修复它,因为它会生成一个令牌并将其存储在会话中,这样会话 ID 可以更改而不影响令牌的有效性。
/** Use a CSRF provider that does not depend on the session ID being constant. We change the session ID randomly */
$app['form.csrf_provider'] = $app->share(function ($app) {
$storage = new Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage($app['session']);
return new Symfony\Component\Security\Csrf\CsrfTokenManager(null, $storage);
});
回答by Luke Adamczewski
You should try this snippet. Symfony form should generate special _csrf_token that should be send with post request. Without this value security alert will be raised.
你应该试试这个片段。Symfony 表单应该生成特殊的 _csrf_token,应该与 post 请求一起发送。如果没有此值,将引发安全警报。
Of course #targetForm should be replaced by form id and /endpoint by target ajax url
当然#targetForm 应该替换为form id 和/endpoint 替换为target ajax url
$('#targetForm').bind('submit', function(e) {
e.preventDefault();
var data = $(this).serialize();
$.post('/endpoint', data, function(data) {
// some logic here
});
});
