symfony: [Form] reversal of an error message when a CSRF token is invalid

If form is sent with an invalid CSRF token, this error message will be displayed: The CSRF token is invalid. Please try to resubmit the form.

This message is in fact instruction on how to bypass CSRF protection. This wording makes protection to be more like an attacker collaborator 😉

Please change message to something like Your session has expired. Please return to the home page and try again..

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 9
  • Comments: 17 (9 by maintainers)

Most upvoted comments

@nicolas-grekas Sure, I’m used to it 😃

The problem is that it’s (IMHO) impossible to distinguish between session expiration and CSRF attack.

  • In case of session expiration you want to pre-populate the form with the submitted data.
  • In case of CSRF you want the opposite.

So it is crazy 🤦‍♂️

But:

  • In case of session expiration, the user knows that he was submitting the form. He may try to resend it.
  • In case of CSRF, the user doesn’t know what’s going on (what is this form?). But in this case, the web just can’t tell him „hey, submit it again“. And resubmit means: bypass CSRF protection.

So I don’t know how to solve it technically. But it would be good to reverse the meaning of the error message.

+9
dg on Apr 10, 2019

@dg please do not take the comment from @friendlypetite as representative of anyone else than them.

+5
nicolas-grekas on Apr 10, 2019

@linaori visitor has no clue about security tokens - that is internal magic. It should probably be something more direct like “Possible security issue detected - do you really want to submit this form?”

+2
soukicz on Apr 10, 2019

I’m not 100% sure how dynamic the csrf token is, if it’s the same during the entire session life-cycle (even if it’s per form), it could very well be that the attacker has managed to extract this token after the page load (could be done via framesets?), hence I suggest the relog to refresh this token. However, this does not solve the fact that you’re in a frame, this should probably be solved by using the correct headers instead, to disallow these kind of attacks in the first place.

+1
linaori on Apr 10, 2019

I see, that makes a lot of sense. I’m personally not a fan of the suggested replacement message, but it’s a very valid point. As this is about security, I think it’s important to warn the user of what’s going on if this is considered a security issue, there’s not much we can fix besides of the message in the code/flow.

What about something like: “The security token to verify your identity is invalid, please ensure you want to submit this form again. To reduce the chance of your account being compromised, please [logout url]log out[/logout url] and log back in again.”

It’s a bit of a rough sketch and perhaps a bit long.

+1
linaori on Apr 10, 2019
Read more comments on GitHub
← symfony: Form profiler broken after 3.2.8 -> 3.3.0 upgrade
symfony: Form submit don't process validation →