This site has been archived and you can no longer log in or post new messages. For up-to-date community resources please visit ezplatform.com

eZ Community » Forums » eZ Publish 5 Platform » CSRF token questions
expandshrink

CSRF token questions

CSRF token questions

Wednesday 09 January 2013 1:34:03 pm - 3 replies

I have two questions regarding form tokens in ezpublish 5.

1. Despite having framework.csrf_protection disabled in config.yml, ez publish legacy calls still complain about missing form token.

2. How do I get a hold of the csrf token for ajax calls? Previously this was embedded into the markup so it was doable but now thats gone. Is there an easy way to fix this for me without having to modify each and every (present and future) installation?

Wednesday 09 January 2013 3:09:39 pm

For mixed 5.x and legacy setups this is currently not possible out of the box, workaround is to disable ezformtoken, but that is not recommended.

The way to solve it is probably to change ezformtoken to use same approach for generating the token:
    sha1( $this->secret . $intention . session_id() );

Assuming $intention can be set to empty or to 'legacy', then we only need secret injected from symfony, as session is already injected.

Create a issue for this: https://jira.ez.no/browse/EZP-20289

 

As for your second question, the way to get a hold on the token in symfony is provided by Symfony Form component, there is also one available that doesn't force you to use Forms:
    $token = $view['form']->csrfToken('legacy');

Modified on Wednesday 09 January 2013 4:01:27 pm by André R

Thursday 10 January 2013 8:22:30 am

Thanks for the answer.

Getting the form token from a symfony controller is easy enough, I'm more curious about strictly from the client side.

We are hoping to support ez5 without writing any code for it specifically at the time being, and currently it seems that ezformtoken is the only problem we have. I guess we could patch our ez4-modules to embed the token for now if there is no inbuilt way of accessing it client side. 

Modified on Thursday 10 January 2013 8:22:52 am by Raymond Julin

Wednesday 30 January 2013 7:42:26 pm

[ Update on CSRF integration ]
This has now hopefully now been fixed in:
https://github.com/ezsystems/ezp-next/pull/211

A small piece of doc has been added as well:
https://confluence.ez.no/display/EZP/Legacy+configuration+injection#Legacyconfigurationinjection-eZFormToken(CSRF)integration

Please try it out if you can and provide some feedback if it fits your needs for this. 

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from