Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Fix generating logout link with stateless csrf #62037

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 13, 2025
Merged

Fix generating logout link with stateless csrf #62037

merged 1 commit into from
Oct 13, 2025

Conversation

pierredup
Copy link
Contributor

@pierredup pierredup commented Oct 10, 2025
edited
Loading

Q A
Branch? 7.3
Bug fix? yes
New feature? no
Deprecations? no
Issues N/A
License MIT

When using the logout_path (or logout_url) twig function with stateless csrf, the generator creates a link with an invalid CSRF token parameter (/logout?_csrf_token=csrf-token), which then causes an error during logout (Invalid CSRF token), since the LogoutListener reads the token from the query parameter first.

Reproducer:

framework:
    csrf_protection:
        stateless_token_ids: ['logout']
<form method="post" action="{{ logout_path() }}">
    <input type="hidden" data-controller="csrf-protection" name="_csrf_token" value="{{ csrf_token('logout') }}"/>
    <button type="submit">Logout</button>
</form>

@pierredup pierredup requested a review from chalasr as a code owner October 10, 2025 15:44
@carsonbot carsonbot added this to the 7.3 milestone Oct 10, 2025
@carsonbot
Copy link

Hey!

Thanks for your PR. You are targeting branch "7.3" but it seems your PR description refers to branch "7.3 for bug fixes".
Could you update the PR description or change target branch? This helps core maintainers a lot.

Cheers!

Carsonbot

@carsonbot carsonbot changed the title Fix generating logout link with stateless csrf Fix generating logout link with stateless csrf Oct 10, 2025
@pierredup pierredup changed the title Fix generating logout link with stateless csrf [Security] Fix generating logout link with stateless csrf Oct 10, 2025
@carsonbot carsonbot changed the title [Security] Fix generating logout link with stateless csrf Fix generating logout link with stateless csrf Oct 12, 2025
@nicolas-grekas
Copy link
Member

Thank you @pierredup.

@nicolas-grekas nicolas-grekas merged commit c1e91c5 into symfony:7.3 Oct 13, 2025
11 checks passed
stof
stof reviewed Oct 13, 2025
View reviewed changes
src/Symfony/Component/Security/Http/Firewall/LogoutListener.php

if (null !== $this->csrfTokenManager) {
$csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
$csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter'], $request->request->all());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$request->request should be used only for POST requests, not for GET requests

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO we need to revert the whole PR as is (see #62086) and work on fixing the root issue instead (a URL with an invalid CSRF token being generated).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$request->request->all() is going to be empty so that we'll properly fallback to the query-string on GET requests.

@pierredup pierredup deleted the fix-logout-link-csrf branch October 14, 2025 05:10
@xabbuh xabbuh mentioned this pull request Oct 16, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@stof stof stof left review comments

@xabbuh xabbuh xabbuh left review comments

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees

No one assigned

Labels

Bug Status: Reviewed

Projects

None yet

Milestone

7.3

Development

Successfully merging this pull request may close these issues.

5 participants

@pierredup @carsonbot @nicolas-grekas @stof @xabbuh
Morty Proxy This is a proxified and sanitized view of the page, visit original site.