Incorrect generation CSRF token

Symfony version(s) affected: 5.2.2

Incorrect generation CSRF token
How to reproduce
Register by this instruction
As a login form, follow the rules symfony

namespace App\Form;

use Symfony\Component\Form\AbstractType;
use Symfony\Component\Form\FormBuilderInterface;
use Symfony\Component\OptionsResolver\OptionsResolver;
use Symfony\Component\Form\Extension\Core\Type\PasswordType;

class LoginType extends AbstractType
    public function buildForm(FormBuilderInterface $builder, array $options)
        $builder->add('email',null,array('label' => false,'attr' => ['class' => 'register-form-input','autocomplete' => 'off']));
        $builder->add('password',PasswordType::class,array('label' => false,'attr' => ['class' => 'register-form-input','autocomplete' => 'off']));

    public function configureOptions(OptionsResolver $resolver)
            // Configure your form options here


                    {{ form_start(login_form) }}
                    <b>Email:</b><br />
                    {{ form_row( }}
                    <b>Password:</b><br />
                    {{ form_row(login_form.password) }}
                    <div class="text-center"><button type="submit" class="site-btn">ENTER</button></div>
                    {{ form_row(login_form._token) }}
                    {{ form_end(login_form) }}

Possible Solution
I was poking around for a long time, but besides, how to do it incorrectly (not to use standard forms symfony I didn’t think of anything)

Additional context
In general, I made the login form according to the instructions, I decided to make the form itself as a standard component, when I send the form I constantly get an error: Invalid CSRF token

After a long trial, I realized that the forms are generated by the wrong one CSRF token…


                    {{ form_row(login_form._token) }}
                    <input type="hidden" name="_csrf_token"
                           value="{{ csrf_token('authenticate') }}"

I added an example to twig as written in the recipe and for comparison CSRF token which the form itself generates
html output

<input type="hidden" name="_csrf_token" value="Xtnmxi4Pn_N95067wjxYEMh3t7vhf4FiPJCxYNUnWqA">
<input type="hidden" id="login__token" name="login[_token]" value="ZtVwBzXtPbbnZp-5D4RysR7eDDt1z3Tr5WvBCv7C1VU" /></form>

You can observe that the tokens that are generated for the same form are different, which causes a validation error.
I asked a question on other resources, until I managed to find out that I’m not the only one facing this problem.

> “Also came across, I could not find a solution. As a result, also – 2 tokens, one native and one manual.”

I would like to get an official answer from the developers, how to live with this is not clear, it looks more like some kind of inconsistency of components in the code …

1 possible answer(s) on “Incorrect generation CSRF token

  1. CSRF tokens are created based on a CSRF token id. A CSRF with another token id will never match other token ids.

    In your Twig code, you’re using authenticate as the token id. The form CSRF extension defaults to the form name as token id:

    $options[‘csrf_token_id’] ?: ($builder->getName() ?: \get_class($builder->getType()->getInnerType())),

    So they will indeed never match.

    Btw, if you’re using the Form component with CSRF integration, the CSRF token is already validated by the form. There is no need to pass the generate CSRF token to the security component for validation.

    To conclude, I don’t see anything unexpectedly here. If you need help setting up login with the form component, please use any of the support channels mentioned on (e.g. StackOverflow or Slack). If there is a bug, feel free to comment, we can always reopen issues 🙂