CSRF is invalid with Stateless CSRF

Symfony version(s) affected

7.2.0

Description

Hi,

After upgrading from Symfony 7.1.6 to 7.2.0 and updating the associated recipes, I encountered a bug when submitting forms: "CSRF token is invalid".

Key Details:

Environment: The issue only occurs in the prod environment;
CSRF Token Issue: The HTML generated for the CSRF token has a value attribute that is undefined:

<input type=“hidden” id=“meeting__token” name=“meeting[_token]” data-controller=“csrf-protection” autocomplete=“off” value=“csrf-token”>

Also, I created a fresh Symfony webapp with a simple CRUD setup. The same issue occurred.

How to reproduce

https://github.com/smbpunt/bug-sf-59065

It's a simple new “webapp” with an entity and an associated crud (all generated via maker-bundle).

Clone
Install
Run server
Go to /new
Submit a form

Possible Solution

The only working solution/workaround was to comment out the stateless configuration in csrf.yaml :

# Enable stateless CSRF protection for forms and logins/logouts
framework:
  form:
    csrf_protection:
      token_id: submit

#    csrf_protection:
#        stateless_token_ids:
#            - submit
#            - authenticate
#            - logout

Additional Context

No response

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

CSRF is invalid with Stateless CSRF #59065

Symfony version(s) affected

Description

How to reproduce

Possible Solution

Additional Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Search code, repositories, users, issues, pull requests...

Uh oh!

CSRF is invalid with Stateless CSRF #59065

Description

Symfony version(s) affected

Description

How to reproduce

Possible Solution

Additional Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions