symfony: "The CSRF token is invalid." in tests after upgrading to 6.2.6 to fix CVE

Symfony version(s) affected

6.2.6

Description

After installing the fix for https://symfony.com/blog/cve-2022-24895-csrf-token-fixation, tests fail with the message “The CSRF token is invalid.” I have only been able to reproduce this in tests, not (yet) when running the application in the browser.

@nicolas-grekas

How to reproduce

Install the Symfony demo project: https://github.com/symfony/demo
Run ./bin/phpunit. All tests should succeed.
Run composer update.
Run ./bin/phpunit. Multiple tests should fail. Add | grep CSRF and you will find the error message.

Possible Solution

I have no clue yet. My conclusion is that $this->csrfTokenStorage->clear(); is the cause of this bug (see https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4#diff-0ff1412624a79146c346925f2407eb4783b144da38ddb369ca30e49d046fab70R59), but removing this is obviously not an option as it is the fix for the CVE.

Additional Context

Docker one-liner:

docker run -it --rm composer bash -c " \
  composer create-project symfony/symfony-demo my_project; \
  cd my_project/; \
  ./bin/phpunit; \
  composer update; \
  ./bin/phpunit | head -n 6; \
  ./bin/phpunit | grep CSRF \
"

About this issue

Original URL
State: closed
Created a year ago
Reactions: 6
Comments: 20 (15 by maintainers)

Commits related to this issue

Revert "[BUGFIX] Update Symfony packages (#108)" This reverts commit 8d93b24237c0cc84a55e3b653088c28590eb2db0. There seems to be a regression regarding CSRF handling, breaking all forms. See https:/... — committed to TYPO3GmbH/site-intercept by andreaskienast a year ago
bug #49526 [Security] Migrate the session on login only when the user changes (nicolas-grekas) This PR was merged into the 5.4 branch. Discussion ---------- [Security] Migrate the session on login ... — committed to symfony/symfony by wouterj a year ago

Most upvoted comments

@MatTheCat #49319 fixes our issue (combination http basic auth and csrf protection) in unit test and dev env. Thanks !

rivallinkil on Feb 15, 2023

I can confirm i have simmalair problem with version v5.4.19

johanadivare on Feb 2, 2023

Login from the session does not cause any issue because it is done with the ContextListener. However authenticators can ultimately cause a LoginSuccessEvent to be dispatched up to the SessionStrategyListener which will clear the CSRF token.

Symfony Demo’s tests authenticate using the HttpBasicAuthenticator on every request so when a form is submitted you’re authenticated again and the CSRF token is removed from the session.

MatTheCat on Feb 2, 2023

Could someone confirm that https://github.com/symfony/symfony/pull/49319 fixes their issue?

MatTheCat on Feb 14, 2023

Upgrading symfony/security-http (v5.4.17 => v5.4.20) gives me the exact same issue.

benr77 on Feb 2, 2023

Using KernelBrowser::loginUser seems to do the trick 👌 but it only fixes tests…

MatTheCat on Feb 2, 2023