symfony: Symfony 5.3: the csrf token is invalid on all form protected by CSRF when using "remember me"

@ovidals and I were able to fix our error, we are finally not receiving the CSRF invalid token. We defined a custom authenticator, like in the official documentation, and the login process was returning that CSRF error. Then debugging we found that the CSRF ID was wrong, so in LoginAuthenticator:authenticate method instead of having

return new Passport(
            new UserBadge($username),
            new PasswordCredentials($password),
            [new CsrfTokenBadge('login', $csrfToken)]
        );

We replaced to

return new Passport(
            $user,
            new PasswordCredentials($password),
            [new CsrfTokenBadge('authenticate', $csrfToken)]
        );

And now it’s working. Maybe it’s only our particular case, but I came to explain it here just in case someone else had the same error.

Same here, CRSF not working when trying to update to 5.3.

{“message”:“Invalid CSRF token.”}

if you are on dev env and using base http for request then you should define cookie_secure: false. For https usage then cookie_secure should be set to true, because auto would not change properly to true (which is done with SessionListener)

@allan-simon, @cmmata was who fixed the issue with his last comment approach. With ‘login’ the CSRF token does not work but it does with ‘authenticate’.

I’m having same issue on Symfony 5.4. (actually started to get, after update from 5.3 to 5.4) But I notice that when I open prod, I instantly have PHPSESSID cookie set 😃 when I open my dev env site, I have no cookies at all.

framework:
    session:
        handler_id: null # or session.handler.native_file is the same.
        cookie_secure: auto
        cookie_samesite: lax
        storage_factory_id: session.storage.factory.native

I found what is going on. It happens when the prod is in HTTP, if you’re using HTTPS CSRF are working

I am on Symfony 6.0.0 and have this error.

I see both setcoockies from public/index.php

I cannot use https because of internal local access without certificate

What have I to do to solve this problem? I am not much familiar with symfony.

so just if you run in a similar issue , try the following

1. edit your public/index.php to only put 2 setcookie call (no symfony no nothing, just pure php)
2. if you see only 1 set cookie, it’s because you have something in the middle of your stack that prevent multiple http header with the same name from being set.

ok I’m making progress, I’ve activated the web profiler in lambda in “prod” setting and so I’m able to add dump here and there

so first finding , the token is considered invalid because of this test fail

https://github.com/symfony/security-csrf/blob/5.3/CsrfTokenManager.php#L111

    public function isTokenValid(CsrfToken $token)
    {
        $namespacedId = $this->getNamespace().$token->getId();
        if (!$this->storage->hasToken($namespacedId)) {
            return false;
        }

the hasToken returns false

the namespaceid variable value

https-CompanyAdmin

(it’s the name of the entity of the form)

and the storage being an instance of symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage

@derrabus I will try to make one