-
Notifications
You must be signed in to change notification settings - Fork 218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ep6-security] [login-form-authenticator] #36
Comments
@Leannapelham |
Hey @Arman-Hosseini Thanks for highlighting that problem. Your solution may work but here is a better way to check if the CRSF token is valid |
Actually, CSRF is not too important for login form I think, as you still need to know the valid credentials, i.e. username and password. I don't see a big problem that CSRF may harm here, do you @Arman-Hosseini ? I mean, if someone will send a SCRF request to the login endpoint - it will just fail because the intruder does not know valid credentials. Or, if the intruder does know the credentials - well, then the CSRF is the smallest problem for you because they can log in directly without any CSRF :) |
Yes, but not having it will lead to easier cracking of the login form. |
Yea, even on the login form, you should have csrf. It looks like we show that for Symfony 4, but not 3. Probably best to add a note, since 3.4 is still supported. Also, fun fact, samesite cookies kill the need for csrf. They are possible in Symfony 4, but I think will be on by default for Symfony 5. We’ll likely show those for our sf5 tutorial. |
Agree, sounds good to add a note about it with a link that refers to the page Diego mentioned where we're talking about CSRF in Sf4. @Arman-Hosseini could you create an initial a PR for this note? |
Yes, I will be making a request soon. |
OK, great! Thank you for helping with this @Arman-Hosseini ! |
Hello guys.
I have reviewed this chapter and I noticed a problem.
In this section, the CSRF token is not checked and this is a serious problem.
And I considered the following solution for it:
I hope that this issue will be useful.
The text was updated successfully, but these errors were encountered: