class DefaultCsrfProvider implements CsrfProviderInterface

deprecated since version 2.4, to be removed in 3.0. Use {@link \Symfony\Component\Security\Csrf\CsrfTokenManager} in combination with {@link \Symfony\Component\Security\Csrf\TokenStorage\NativeSessionTokenStorage} instead.

Default implementation of CsrfProviderInterface.

This provider uses the session ID returned by session_id() as well as a user-defined secret value to secure the CSRF token.

Properties

protected $secret

Methods

__construct(string $secret)

Initializes the provider with a secret value.

string
generateCsrfToken(string $intention)

Generates a CSRF token for a page of your application.

bool
isCsrfTokenValid(string $intention, string $token)

Validates a CSRF token.

string
getSessionId()

Returns the ID of the user session.

Details

at line 41
__construct(string $secret)

Initializes the provider with a secret value.

A recommended value for the secret is a generated value with at least 32 characters and mixed letters, digits and special characters.

Parameters

string $secret A secret value included in the CSRF token

at line 49
string generateCsrfToken(string $intention)

Generates a CSRF token for a page of your application.

Parameters

string $intention Some value that identifies the action intention (i.e. "authenticate"). Doesn't have to be a secret value.

Return Value

string The generated token

at line 57
bool isCsrfTokenValid(string $intention, string $token)

Validates a CSRF token.

Parameters

string $intention The intention used when generating the CSRF token
string $token The token supplied by the browser

Return Value

bool Whether the token supplied by the browser is correct

at line 71
protected string getSessionId()

Returns the ID of the user session.

Automatically starts the session if necessary.

Return Value

string The session ID