symphonycms: XSRF token is not generated in the frontend

In the frontend (i.e. without a visitor being logged in to Symphony), XSRF tokens are not generated. The backend uses $this->Page->Form->prependChild(XSRF::formToken()); on every form, which will in turn call self::getToken()—so a token gets generated. But in the frontend, this doesn’t happen (since we don’t want to automatically inject any token markup). My first idea to solve this is to add:

XSRF::getToken();

in line 422 of class.frontendpage.php (immediately before adding the cookie values).

However, I am not sure if this is the correct approach.

About this issue

Original URL
State: open
Created 10 years ago
Comments: 28 (28 by maintainers)

Commits related to this issue

Make sure we generate a XSRF token for events This commit simply checks, for each event attached to the page, if there is a filter with `xsrf` in its name. If so, it will make sure that the token is ... — committed to DeuxHuitHuit/symphonycms by nitriques 5 years ago

Most upvoted comments

What about an XSRF extension that provides and validates a token via an event for the frontend?

This is the way to go. I’ve postpone this issue to 2.8.0, but in fact, I agree with @jensscherbl on this. A event is exactly what you need. I even question the whole presence of the cookie-* values in the parameters.

nitriques on Aug 15, 2016