I have this open source Symfony app and I need to disable CSRF checks either globally or at least for some <forms>. Besides 2 methods described below, I also tried removing various lines of code that mention CSRF, but nothing helped.
What I tried:
- I tried to globally disable CSRF as described here How can I turn of CSRF protection globally on Symfony 3 with FOSUserBundle , but the problem is in my Symfony App there are no
.ymlfiles inroot/configdirectory - it only contains:settings.php,default.settings.php,dev.php,prod.php,languages.php, but no.yml/.xmlfiles - I tried to disable CSFR for a specific
<form>as described here How to disable csrf in symfony? , but the prblem is my<form>is HTML-based, not PHP-based. My Symfony app doesn't create<form>s via PHP.
My Symfony App:
- The app is open-source - repository here: https://github.com/agendav/agendav/tree/develop/web
- In
root/app/controllers.phpI have this piece of code withCSRF protection ↓↓↓. I tried to remove it, but then form is not even rendered.
...
// Authentication
$app->get('/login', '\AgenDAV\Controller\Authentication::loginAction')->bind('login');
$app->post('/login', '\AgenDAV\Controller\Authentication::loginAction');
$app->get('/logout', '\AgenDAV\Controller\Authentication::logoutAction')->bind('logout');
// CSRF protection
$app->before(function(Request $request, Application $app) {
return \AgenDAV\Csrf::check($request, $app);
});
...
- The login form template is in
root/templates/login.htmland it is called insideroot/src/controller/Authentication.php:
...
return $app['twig']->render('login.html', $template_vars);
...