Answer the question
In order to leave comments, you need to log in
N
N
Nikolai Egorov2018-08-30 11:35:02
Nikolai Egorov, 2018-08-30 11:35:02
What is the best way to check CSRF tokens?
I think this is a simple question, and yet ... Somewhere I meet this option for checking CSRF tokens:
if (!$this->isCsrfTokenValid('delete', $request->request->get('token'))) {
return new Response('Error');
}And somewhere like this (i.e. the object ID is added to the keyword):
if (!$this->isCsrfTokenValid('delete' . $entity->getId(), $request->request->get('token'))) {
return new Response('Error');
}1. Which is more correct?
2. Do I need to specify the keyword even more, like not just `delete`, but `delete-image` for example?
1 answer(s)
@nickicool
V
voronkovich, 2018-09-02 @nickicool
Both ways are correct. It's just that the second one is more resistant to CSRF attacks. For example, the default form component uses the form class name for the field "intention" ("keyword" if you use your definition): https://github.com/symfony/form/blob/a0386553fabb5...
On the other hand, there is the opinion that the use of different tokens does not make the application more secure. See https://github.com/symfony/symfony/issues/18115
Personally, I use the first option i.e. one token for the entire application.
Similar questions
I
M
M
G
M
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question