Hi,
I am using sfDoctrineGardPlugin for both the applications frontend and
backend. Login for backend is happening through stock login screen that
comes with plugin. Since frontend has completely different UI and login form
is displayed on all pages minus 'remember me', I cannot use login form that
I am using for backend.
So I did following:
1. copied
sfDoctrineGuardPlugin/lib/form/doctrine/base/BasesfGuardFormSignin.class.php
to another singninForm.class.php and rewrote setup function with required
field.
2. Added these lines to apps/frontend/config/settings.yml
all:
.settings:
enabled_modules: [default, sfGuardAuth]
login_module: sfGuardAuth
login_action: signin
secure_module: sfGuardAuth
secure_action: secure
3. Created form on frontend, generated login form code is as below:
<form action="/frontend_dev.php/login" method="post">
<li>
<label for="signin_username">Username</label>
<input name="signin[username]" id="signin_username" type="text">
</li>
<li>
<label for="signin_password">Password</label>
<input name="signin[password]" id="signin_password" type="password">
<input name="signin[_csrf_token]" value="c22292acba08a9f6ba1615aebd326fc8"
id="signin__csrf_token" type="hidden"></li>
<input name="Submit" value="Submit" type="submit">
</form>
Now when I submit this form, I get validation error:
csrf token: CSRF attack detected
I suspect the csrf token in frontend is being generated using csrf_secret in
frontend's settings.yml but being verified using backend's csrf_secret.
Can anyone please shade some light as to why it may be happening? and how
can I fix this?
Thanks.
Regards,
Sam.
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
