Details
-
Bug
-
Resolution: Fixed
-
High
-
Known Issues 5.x Stack, 5.0
-
Stetind Sprint 4
Description
CSRF protection in 5.0 is not integrated with legacy, meaning forms across both kernels is impossible.
However a look into how Symfony deal with this reveals that the fix is simple:
- Inject the csrf framework.secret from symfony to legacy
- Change ezformtoken to use this secret and generate token in the following way:
- sha1( $this->secret . $intention . $this->session->getId() );
- $intention can be set to "legacy"
- there is no need to save it in the session anymore
- (optional) Also inject Symfony yml param framework.csrf_protection.field_name and change ezformtoken to accept this form field name as well.