DefaultCsrfProvider deprecated

class DefaultCsrfProvider implements CsrfProviderInterface

deprecated

since version 2.4, to be removed in 3.0. Use {@link \Symfony\Component\Security\Csrf\CsrfTokenManager} in combination with {@link \Symfony\Component\Security\Csrf\TokenStorage\NativeSessionTokenStorage} instead.

Default implementation of CsrfProviderInterface.

This provider uses the session ID returned by session_id() as well as a user-defined secret value to secure the CSRF token.

Methods

__construct(string $secret)

Initializes the provider with a secret value.
string generateCsrfToken(string $intention)

Generates a CSRF token for a page of your application.
bool isCsrfTokenValid(string $intention, string $token)

Validates a CSRF token.

Details

__construct(string $secret)

Initializes the provider with a secret value.

A recommended value for the secret is a generated value with at least 32 characters and mixed letters, digits and special characters.

Parameters

string $secret A secret value included in the CSRF token

string generateCsrfToken(string $intention)

Generates a CSRF token for a page of your application.

Parameters

string $intention Some value that identifies the action intention (i.e. "authenticate"). Doesn't have to be a secret value.

Return Value

string The generated token

bool isCsrfTokenValid(string $intention, string $token)

Validates a CSRF token.

Parameters

string $intention The intention used when generating the CSRF token
string $token The token supplied by the browser

Return Value

bool Whether the token supplied by the browser is correct

© 2004–2017 Fabien Potencier
Licensed under the MIT License.
http://api.symfony.com/3.4/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.html