6

How can I protect the logout action? I read default configuration, and set

logout:
    csrf_parameter:       _token
    csrf_provider:        ~
    intention:            logout

but when I'm trying to clear cache the following error displayed:

[Symfony\Component\Config\Definition\Exception\InvalidConfigurationException] Unrecognized options "csrf_provider" under "security.firewalls.main.logout"

I'm using Symfony 2.4 + FOSUserBundle 1.3.

Improve this question
4
  • Could you rephrase your question title? Usually it should not contain any key words tagged in the question. Your title consists only of the keywords.
    – isaias-b
    Jun 22, 2014 at 16:57
  • Have you checked this: stackoverflow.com/questions/20350330/… ?
    – Denis V
    Jun 22, 2014 at 16:58
  • @isi sorry, but I can't rephrase it, because it is very specific one and my imagination and low English skills prevents do this :( If moderators consider it necessary to rephrase it - I agree.
    – Invis1ble
    Jun 22, 2014 at 17:48
  • @DenisV I have already checked this topic. It isn't too related to my question, but CSRF protection is already enabled in my app.
    – Invis1ble
    Jun 22, 2014 at 17:49

1 Answer 1

Reset to default
16

I've researched the Symfony's code and find that now csrf_provider option renamed to csrf_token_generator. Then I googled and found related issue on GitHub. So the problem in an unsynchronized documentation.

The final solution is:

configuration:

# app/config/security.yml

security:
    # ...
    firewalls:
        # ...
        your_firewall_name:
            # ...
            logout:
                # ...
                csrf_token_generator: your_csrf_provider # e.g. form.csrf_provider

twig template:

<a href="{{ logout_url('your_firewall_name') }}">Logout</a>

Note, that we're using logout_url() instead of logout_path() due to helper bug (it generates absolute path without app_dev.php suffix in dev environment). Theese twig helpers appends %token_parameter% to your logout URI, e.g. http://example.com/app_dev.php/logout?_csrf_token=36wX6HYU2ASeZBQw_iwKcUDbplmFm4W7Ez-tMaavDNo.

Hope this information will be helpful.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.