2

I am using Symfony2 with SimpleSAMLphp for user authentication.

I set session.storage.php_bridge in my config because I get strange behaviour without it.

session:
    storage_id: session.storage.php_bridge
    handler_id:  ~

Now with these settings my Symfony2 form CSRF protection stops working. It says that the CSRF token is invalid. I checked the request and the _token is send on form submit. Also I have debugged the CsrfTokenManager.php. I found out that the token submitted with the form, and the token on the tokenStorage mismatch. The token in session is regenerated on every request and it does not match with the one I send with form information.

Is this some kind of bug?

andrius.k
  • 799
  • 1
  • 10
  • 26
  • I know it may sound silly, but have you cleared your cache after doing the session change? – Renato Mefi Dec 04 '15 at 10:04
  • Yes. I thought so at first also – andrius.k Dec 04 '15 at 10:16
  • I think this problem is still relevant today. I have the same situation. CSRF fails when `seurity.stateless` is set to `false`. Toggling stateless to true, PhpBridgeSessionStorage `started` property is false. I've been wrestling with this for 2 days now. – tlorens Sep 19 '17 at 20:10

0 Answers0