Disable symfony 2 csrf token protection on ajax submit

Question

i'm building a mobile app talking to my symfony2 app via webservices I can't find a way to disable csrf protection on a specific controller/action

i want to post registration data to this action and use sf2 form validation. I do not call the form in my mobile app

Can't change container parameters in action, throw an exception because it is a frozen parameter...

I do not want to disable form protection for whole my application

any clue ?

thanks !

update: with symfony 2.1.x

/**
 * {@inheritdoc}
 */
public function setDefaultOptions(OptionsResolverInterface $resolver)
{
    $resolver->setDefaults(array(
        'csrf_protection'   => false,
    ));
}

`$form = $this->createForm($formType, $entity, array('csrf_protection' => false));` — Samuel Katz, Sep 03 '12 at 00:39
Didn't investigate more but using a form type as a service i had to use SalmanPK's solutions since default csrf_protection option was not recognised. — tuxone, Nov 07 '15 at 17:32

score 88 · Accepted Answer · edited Sep 17 '18 at 13:44

88

If you're looking for a bit easier and faster solution than suggested in answer above, here's how:

<?php

// ...

use Symfony\Component\Form\AbstractType;
use Symfony\Component\Form\FormBuilder;
use Symfony\Component\OptionsResolver\OptionsResolver;

class MyType extends AbstractType
{
    // ...

   public function configureOptions(OptionsResolver $resolver)
    {
        $resolver->setDefaults(array(
            'csrf_protection' => false,
        ));
    }
}

.. or if you're using older versions (Symfony 2.0.*):

<?php

// ...

use Symfony\Component\Form\AbstractType;
use Symfony\Component\Form\FormBuilder;

class MyType extends AbstractType
{
    // ....

    public function getDefaultOptions(array $options)
    {
        $options = parent::getDefaultOptions($options);
        $options['csrf_protection'] = false;

        return $options;
    }
}

Consult the Symfony documentation for additional information.

Edit: updated answer to latest Symfony version, thanks naitsirch

edited Sep 17 '18 at 13:44

Pierre-Olivier Vares

1,687
15
20

answered Mar 27 '12 at 11:52

Inoryy

8,365
2
39
40

Thanks ! i was looking for implementing a custom csrf provider like @jperovic, but your solution works and is clean :) – julien rollin Mar 27 '12 at 12:07
Definitely simpler solution! :) – Jovan Perovic Mar 27 '12 at 12:13
missing a disableCSRFProtection() method like a symfony 1. Really convenient in ajax context – julien rollin Mar 27 '12 at 12:22
It's time to add the new >=2.7 method replacing getDefaultOptions – Layton Everson Jul 23 '15 at 10:04
[>=2.7: `configureOptions(OptionsResolver $resolver)`](http://symfony.com/blog/new-in-symfony-2-7-form-and-validator-updates#deprecated-setdefaultoptions-in-favor-of-configureoptions) – Pierre de LESPINAY Oct 14 '15 at 08:11
The first snippet (configureOptions) works in Symfony 4. – Pierre-Olivier Vares Sep 17 '18 at 10:12
1

I allowed myself to rewrite "or if you're using Symfony 2.0" in something more explicit today (No doubt at the time of writting this was clear, but today I didn't knew in reading whereas it was meaning "older versions" or "newer versions"). Feel free to accept / modify / revert my edit. – Pierre-Olivier Vares Sep 17 '18 at 10:16

Mick · Answer 2 · 2014-04-11T19:25:34.540

20

Using the form factory

For those who want to create a simple form in a controller:

$form = $this->container->get('form.factory')
    ->createNamedBuilder(null, 'form', null, array('csrf_protection' => false))
    ->add('yourField','text', array(
        'label' => false,
        'mapped' => false
    ))
    ->getForm();

edited Apr 11 '14 at 19:25

answered Jan 10 '14 at 14:30

Mick

30,759
16
111
130

score 8 · Answer 3 · answered Jun 24 '16 at 11:29

8

public function configureOptions(OptionsResolver $resolver)
{
    $resolver->setDefaults([
        'csrf_protection' => false,
    ]);
}

answered Jun 24 '16 at 11:29

luchaninov

6,792
6
60
75

Thank you, it worked for Symfony 4 app. In my case I put this code in the file `src/Form/MovieType.php` – yesnik Aug 27 '19 at 07:52

score 2 · Answer 4 · answered Jul 25 '16 at 14:30

Using the form factory in Symfony 3

use Symfony\Component\Form\Extension\Core\Type\FormType;

$form = $this->container->get('form.factory')
    ->createNamedBuilder(null, FormType::class, null, array('csrf_protection' => false))
    ->add('yourField','text', array(
        'label' => false,
        'mapped' => false
    ))
    ->getForm();

Adapted from Mick's answer

Jovan Perovic · Answer 5 · 2012-03-27T11:45:18.600

I can't be 100% sure but I think I read somewhere that you can pass csrf_provider option while creating form.

All providers are subtypes of interface Symfony\Component\Form\Extension\Csrf\CsrfProvider and you should be able to create your own:

class MyNonCsrfProvider extends DefaultCsrfProvider{
    public function isCsrfTokenValid($intention, $token)
    {
        return true;
    }
}

and in controller:

$this->createForm(new CustomFormType(), array(
    'csrf_provider' => new MyNonCsrfProvider()
));

I haven't tried this myself but this sounds like a possible solution...

Disable symfony 2 csrf token protection on ajax submit

5 Answers5

Using the form factory

Using the form factory in Symfony 3

Linked