This site has been archived. To learn more about our current products Ibexa Content, Ibexa Experience, Ibexa Commerce head over to the Ibexa Developer Portal

eZ Community » Forums » eZ Publish 5 Platform » CSRF token questions

CSRF token questions

CSRF token questions

Wednesday 09 January 2013 1:34:03 pm - 3 replies

I have two questions regarding form tokens in ezpublish 5.

1. Despite having framework.csrf_protection disabled in config.yml, ez publish legacy calls still complain about missing form token.

2. How do I get a hold of the csrf token for ajax calls? Previously this was embedded into the markup so it was doable but now thats gone. Is there an easy way to fix this for me without having to modify each and every (present and future) installation?

Wednesday 09 January 2013 3:09:39 pm

For mixed 5.x and legacy setups this is currently not possible out of the box, workaround is to disable ezformtoken, but that is not recommended.

The way to solve it is probably to change ezformtoken to use same approach for generating the token:
    sha1( $this->secret . $intention . session_id() );

Assuming $intention can be set to empty or to 'legacy', then we only need secret injected from symfony, as session is already injected.

Create a issue for this:


As for your second question, the way to get a hold on the token in symfony is provided by Symfony Form component, there is also one available that doesn't force you to use Forms:
    $token = $view['form']->csrfToken('legacy');

Modified on Wednesday 09 January 2013 4:01:27 pm by André R

Thursday 10 January 2013 8:22:30 am

Thanks for the answer.

Getting the form token from a symfony controller is easy enough, I'm more curious about strictly from the client side.

We are hoping to support ez5 without writing any code for it specifically at the time being, and currently it seems that ezformtoken is the only problem we have. I guess we could patch our ez4-modules to embed the token for now if there is no inbuilt way of accessing it client side. 

Modified on Thursday 10 January 2013 8:22:52 am by Raymond Julin

Wednesday 30 January 2013 7:42:26 pm

[ Update on CSRF integration ]
This has now hopefully now been fixed in:

A small piece of doc has been added as well:

Please try it out if you can and provide some feedback if it fits your needs for this. 


You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from