CSRF protection in 5.0 is not integrated with legacy, meaning forms across both kernels is impossible.
However a look into how Symfony deal with this reveals that the fix is simple:
- Inject the csrf framework.secret from symfony to legacy
- Change ezformtoken to use this secret and generate token in the following way:
- sha1( $this->secret . $intention . $this->session->getId() );
- $intention can be set to "legacy"
- there is no need to save it in the session anymore
- (optional) Also inject Symfony yml param framework.csrf_protection.field_name and change ezformtoken to accept this form field name as well.