3

I am getting the following error on logging in to a Symfony2 application:

[2014-06-27 00:36:22] security.INFO: Authentication request failed: Invalid CSRF token. [] []

Running on:

  • Symfony2
  • SonataUserBundle
  • Vagrant (using puppet via Puphpet.com)
  • Safari/OSX

Same setting is Working on an Ubuntu host system.

Thanks for any help.

security.yml:

firewalls:
    dev:
        pattern:  ^/(_(profiler|wdt)|css|images|js)/
        security: false

    secured_area:
        pattern: ^/
        form_login:
            provider: fos_userbundle
            csrf_provider: form.csrf_provider
            login_path: fos_user_security_login
            check_path: fos_user_security_check
        logout:
            invalidate_session : false
            path: fos_user_security_logout
        anonymous: true
        switch_user: true

Application/Sonata/UserBundle/Resources/views/Security/login.html.twig

{% extends "FOSUserBundle::layout.html.twig" %}

{% trans_default_domain 'FOSUserBundle' %}

{% block fos_user_content %}
{% if error %}
    <div class="alert alert-danger">
        <button type="button" class="close" data-dismiss="alert">&times;</button>
        {{ error|trans }}
    </div>
{% endif %}

<form class="form-horizontal" action="{{ path("fos_user_security_check") }}" method="post">
    <fieldset>
        <legend>Login</legend>
        <input type="hidden" name="_csrf_token" value="{{ csrf_token }}" />

        <div class="form-group">
            <label class="col-lg-2 control-label required" for="username">{{ 'security.login.username'|trans }}</label>
            <div class="col-lg-5">
                <input type="text" id="username" name="_username" placeholder="Username" value="{{ last_username }}" required="required" class="form-control" />
            </div>
        </div>

        <div class="form-group">
            <label class="col-lg-2 control-label required" for="password">{{ 'security.login.password'|trans }}</label>
            <div class="col-lg-5">
                <input type="password" id="password" name="_password" placeholder="Password" required="required" class="form-control" />
            </div>
        </div>

        <div class="form-group">
            <div class="col-lg-offset-2 col-lg-5">
                <input type="checkbox" id="remember_me" name="_remember_me" value="on" />
                <label for="remember_me">{{ 'security.login.remember_me'|trans }}</label>
            </div>
        </div>

        <div class="form-group">
            <div class="col-lg-offset-2 col-lg-5">
                <a href="{{ path("fos_user_resetting_request") }}">{{ 'resetting.request.submit'|trans }}</a>
                <input type="submit" id="_submit" name="_submit" value="{{ 'security.login.submit'|trans }}" class="btn btn-primary form-control" />
            </div>
        </div>
    </fieldset>
</form>
{% endblock fos_user_content %}

Anything else is used of the FOSUserBundle and SonataUserBundle

Felix Frank
  • 8,125
  • 1
  • 23
  • 30
mr_jingles
  • 137
  • 1
  • 9

2 Answers2

7

I could solve my problem now. It seems to be a problem with write permissions on the session save path. If I change the configuration to use the default session save path as following:

# app/config/config.yml
framework:
    session:
        save_path: null

Then /var/lib/php/session is used instead of /var/www/myproject/app/cache/dev/sessions

The permissions on /var/www/crowdcustoms/app/cache/dev/sessions:

drwxr-xr-x   4 501 dialout    136 Jun 29 20:37 sessions/

The permissions on /var/lib/php/session

drwxrwxr-x  2 www-data www-data 4096 Jun 29 20:36 session
Potherca
  • 13,207
  • 5
  • 76
  • 94
mr_jingles
  • 137
  • 1
  • 9
-1

You forgot the context, csrf_token('authentication') should do the trick!

Ref: http://symfony.com/doc/current/cookbook/security/csrf_in_login_form.html

Katch
  • 170
  • 1
  • 20
  • Hi, the token value is available. I tried your fix but doesn't change anyway. Same software is also working on another host system. – mr_jingles Jun 28 '14 at 11:16