2

Silex offers the ability to automatically use CRSF protection for forms. The problem is that when using the provided HttpCacheProvider cache is impossible not to cache the token generated, so the solution is to use esi, but I can't make it work. I tried with 2 actions, one with the twig containing the esi code and the form._token to render the CRSF token:

<esi:include src="/form" />
{{ form_row(form._token) }}

and the action "form" containing the rest of the form, but now the validation errors are not displayed. Is this even possible to do? Is it the right way?

Andrea De Pirro
  • 31
  • 1
  • 5

1 Answers1

1

The request made for /form doesn't display the validation errors because it results in a separate http request to your back end that has no knowledge of the submitted form data or the resulting validation errors from the parent request.

Without knowing too much about silex or php in general, I would recommend using the ESI constructs only for the cacheable get request that loads the form (so that you always get a fresh CSRF token), and include the fragment using php include when responding to the uncacheable PHP post on form submission. Pseudocode looks like:

if request.method == "GET"
   print '<esi:include src="/form" />'
else if request.method == "POST"
   include 'form.php'
Johnny C
  • 1,799
  • 1
  • 16
  • 27