Tweak login forms to enable double-submit CSRF protection

symfony · Sep 13, 2024 · 97636c3 · 97636c3
1 parent a3b7f14
commit 97636c3
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 0 deletions.
diff --git a/src/Resources/skeleton/authenticator/login_form.tpl.php b/src/Resources/skeleton/authenticator/login_form.tpl.php
@@ -24,6 +24,8 @@
 
     <input type="hidden" name="_csrf_token"
            value="{{ csrf_token('authenticate') }}"
+           autocomplete="off"
+           data-controller="csrf-protection"
     >
 <?php if($support_remember_me && !$always_remember_me): ?>
 

diff --git a/src/Resources/skeleton/security/formLogin/login_form.tpl.php b/src/Resources/skeleton/security/formLogin/login_form.tpl.php
@@ -24,6 +24,8 @@
 
         <input type="hidden" name="_csrf_token"
                value="{{ csrf_token('authenticate') }}"
+               autocomplete="off"
+               data-controller="csrf-protection"
         >
 
         {#

diff --git a/tests/fixtures/security/make-form-login/expected/login.html.twig b/tests/fixtures/security/make-form-login/expected/login.html.twig
@@ -22,6 +22,8 @@
 
         <input type="hidden" name="_csrf_token"
                value="{{ csrf_token('authenticate') }}"
+               autocomplete="off"
+               data-controller="csrf-protection"
         >
 
         {#

diff --git a/tests/fixtures/security/make-form-login/expected/login_no_logout.html.twig b/tests/fixtures/security/make-form-login/expected/login_no_logout.html.twig
@@ -16,6 +16,8 @@
 
         <input type="hidden" name="_csrf_token"
                value="{{ csrf_token('authenticate') }}"
+               autocomplete="off"
+               data-controller="csrf-protection"
         >
 
         {#