symfony: [Authenticator] Invalid CSRF token (BC with SF 5.4)

Symfony version(s) affected

5.4.1

Description

Can’t authenticate with FormLoginAuthenticator.

How to reproduce

# security.yaml

    firewalls:
        app:
           ...
            form_login:
                enable_csrf: true

Symfony app is serving by a nginx running on docker,

if i try to login using a hostname : => foo.local:8001/login Got error :

[2021-12-09T18:23:05.087720+01:00] security.INFO: Authenticator failed. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\InvalidCsrfTokenException(code: 0): Invalid CSRF token. at /home/docker/symfony/vendor/symfony/security-http/EventListener/CsrfProtectionListener.php:51)","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\Debug\\TraceableAuthenticator"} []
[2021-12-09T18:23:05.087796+01:00] security.DEBUG: Authentication failure, redirect triggered. {"failure_path":"umbrella_admin_login"} []
[2021-12-09T18:23:05.119546+01:00] security.DEBUG: The "Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticator" authenticator set the failure response. {"authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\Debug\\TraceableAuthenticator"} []
[2021-12-09T18:23:05.119629+01:00] security.DEBUG: The "Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticator" authenticator set the response. Any later authenticator will not be called {"authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\Debug\\TraceableAuthenticator"} []
[2021-12-09T18:23:05.145225+01:00] request.INFO: Matched route "umbrella_admin_login". {"route":"umbrella_admin_login","route_parameters":{"_route":"umbrella_admin_login","_controller":"Umbrella\\AdminBundle\\Controller\\SecurityController::login"},"request_uri":"http://foo.local:8001/login","method":"GET"} []
[2021-12-09T18:23:05.146043+01:00] security.DEBUG: Checking for authenticator support. {"firewall_name":"app","authenticators":1} []
[2021-12-09T18:23:05.146079+01:00] security.DEBUG: Checking support on authenticator. {"firewall_name":"app","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2021-12-09T18:23:05.146106+01:00] security.DEBUG: Authenticator does not support the request. {"firewall_name":"app","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []

if i try to login using a hostname : => foo.local:8001/login : it works

Downgrade symfony to 5.4.0 solve the problem.

Possible Solution

No response

Additional Context

No response

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 2
  • Comments: 22 (4 by maintainers)

Most upvoted comments

I think those issues are all about cookie_secure set to auto and change made in 36b466e0f2a7c4045e66ee27691721ea188afe76 :

+6
emmanuelballery on Dec 10, 2021

I have the same issue when i upgrade symfony 5.4.0 to 5.4.1

On local developpement i use


http://xxxxx.local

My session config was


session:
   handler_id: null
   cookie_secure: 'auto'
   cookie_samesite: 'lax'
   storage_factory_id: session.storage.factory.native

Since 5.4.1 To resolve problem (environment dev only) i change cookie_secure


session:
   handler_id: null
   cookie_secure: false
   cookie_samesite: 'lax'
   storage_factory_id: session.storage.factory.native
+5
thewalkingcoder on Dec 10, 2021

I found that break it. This pull https://github.com/symfony/symfony/pull/44437 if revert it CSRF token starts to work. Friendly ping @simonchrz @derrabus

+4
berkut1 on Dec 10, 2021

Hi, run into that like week ago, and still struggling. Symfony version 6.0.8. Works well on local env (Fedora 35) but fails when deployed (ubuntu 22). So this is kinda configuration/os-based. But still I cannot manage to find differences in my setups.

@fecambot In my case, there is no error messages because there is double redirect triggered. Try to look at Your symfony logs. What I have there, are 2 requests. First is to Authenticator and it fails with “Invalid CSRF token”. Then he redirects Again to login again, and now is Your “does not support the request” error. And i guess that session or flash messages are being lost somewhere in the process.

Will be happy to provide any further information.

+2
flameheart on May 14, 2022

Can you try out #44518 if this fixes your issue?

@alexander-schranz It does the job 😃

+2
acantepie on Dec 15, 2021

I don’t even have an error with wrong password.

+1
fecambot on May 4, 2022

@Jonathanlight what do you mean ?

I am in 6.0.7 and still have this error: Authenticator does not support the request. {“firewall_name”:“main”,“authenticator”:“App\Security\CustomAuthAuthenticator”}

+1
fecambot on Apr 9, 2022

@alexander-schranz I should’ve read all the comments! Yes, that seems to do the trick too. Thanks!

+1
Jelle-S on Dec 15, 2021

Can you try out #44518 if this fixes your issue?

+1
alexander-schranz on Dec 14, 2021
Read more comments on GitHub
← symfony: Assert\Valid not working as expected with Embedded Forms and validation groups
symfony: Autoloading broken with 4.4.31/5.3.8 →