CSRF invalid if ajax?

B

BonBon Slick2018-08-16 19:06:04

symfony

BonBon Slick, 2018-08-16 19:06:04

<meta name="csrf-token" content="{{ csrf_token('default') }}">

...

 $.ajax({
                url: deleteRoute,
                beforeSend: function(xhr) {
                    xhr.setRequestHeader('X-CSRF-Token', $('meta[name="csrf-token"]').attr('content'))
                },
                type: 'POST',
                data: {
                    "_method": 'DELETE',
                },

...

 public function delete(Request $request, string $uuid) : RedirectResponse
    {
        $csrfToken = $request->request->get('csrf_token') ?? $request->headers->get('X-CSRF-Token');
        dump($csrfToken); // пример bIGomIbrDFPW6hhmbX2TNdcYBNEJONjbgeRpvti6QoE
        $validateToken =
            $this->csrfTokenManager->isTokenValid(
                new CsrfToken(
                    'default',
                    $csrfToken
                )
            );
        dump($validateToken); // всегда false
        die;

False because there is another token in the storage, for the same Id

CsrfTokenManager.php on line 74:
SessionTokenStorage {#275
  -session: Session {#274
    #storage: NativeSessionStorage {#273
      #bags: array:2 [
        "attributes" => SessionBagProxy {#265
          -bag: AttributeBag {#267
            -name: "attributes"
            -storageKey: "_sf2_attributes"
            #attributes: &1 array:5 [
              "_csrf/https-delete" => "C7PapF_4VbhoJUOxtUeayZnosrF3cL27SMWRVn3QgOw"
              "_security_admin_area" => .....
              "_csrf/https-logout" => "_lvGpx7Gk2pMoFpLt-qqYTexEfzK7mCTzFxbNvO0qig"
              "oldInput" => []
              "_csrf/https-default" => "gWa95mnH89gofqR-WSs0PBRI8WEYpJ7b4erWF44R9Sk" 
// должен быть для id default - bIGomIbrDFPW6hhmbX2TNdcYBNEJONjbgeRpvti6QoE
            ]

And if in the usual form, then everything works, apparently the server generates another token for this ID when ajax comes.