CSRF not refreshed #140
Comments
|
Well, if you got time to backport the behavior from Symfony2 you can open a PR. |
|
@j0k3r Thanks for your reply. This was not a feature request. I just wanted to get feedback on the behaviour :) |
|
Hello @michilehr, Thank you to take time to share this issue. As a security related issue we need to be very careful about it. Can you share us the reference on Symfony4 about this behaviour? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi everybody,
at first I want to thank everybody behind this project! Awesome work.
I have a question:
A user clicks on a form, enters his data and sends the form after the session has expired. Maybe he was on the phone, closed his laptop or whatever. When he comes back, he posts the form which results in a csrf validation error.
Now the csrf token will still be the old one on the form with the error. In Symfony2, the user will have the new token so he can post the form with the data already entered.
What's your opinion on this behaviour?
Cheers Michi
The text was updated successfully, but these errors were encountered: