Symfony CSRF attack detected everytime I submit a form

Question

The login form works fine, but any other form I submit (things like editing or creating data) I get a CSRF attack detected error. I have tried to clear symfony and browser cache, deleted cookies, tried multiple browsers and multiple computers.

What can cause this? When I turn off the CSRF protection it works fine.

Answer 1

It's tough to answer this with the information provided. Here are two possibilities:

• Are you sure the CSRF token is actually being submitted?
• Is the same form processing both values? CSRF tokens in Symfony are generated from three things: the CSRF secret (set in app.yml), the session_id, and the form class. Is one of these three things changing?

Answer 2

Ensure that your form in your template includes the CSRF tag and submits it with the form:

<?php echo $form['_csrf_token']->render(); ?>

I'll go out on a limb and guess that the login form works because you're just using the ready SfGuard code, whereas on your own forms, you've omitted the tag from the form.... ?

Answer 3

Every time I got this error in the past it was because I forgot to render hidden tags in my form. Don't forget to add this line:

<?php echo $form->renderHiddenFields() ?>

Answer 4

To check this, you should try running Fiddler while performing the POST and check the payload for %5B_csrf_token%5D={whateveryourtokenis}.