symfony icon indicating copy to clipboard operation
symfony copied to clipboard

Published 20 hours ago verified publisher icon symfony

[Security][SecurityBundle] Change Exception thrown by IsCsrfTokenValid Attribute

Open eltharin opened this issue 8 months ago • 5 comments

Q A
Branch? 7.2
Bug fix? yes
New feature? no
Deprecations? no
Issues Fix #57343
License MIT

Change InvalidCsrfTokenException behavior :

Actually, when InvalidCsrfTokenException throw, a 403 Response is return or if there is a userAuthenticator, response is converted to 301-Redirect To Login, For example, For a Basic Contact Form, if the CSRF is bad, I'm redirected to Login Page => Why ? InvalidCsrfTokenException extends from AuthenticationException but a Csrf Error is not necessarily an authentication error. And is 403 error code really associated to a CSRF error ?

repo to reproduce : https://github.com/eltharin/reproducer_symfony_57343/tree/main

So I propose to change parent from AuthenticationException to BadRequestHttpException for have a 400 Bad Request Error whitch is most adapted to CSRF error and to not have a redirection to login page;

eltharin avatar Jul 02 '24 08:07 eltharin