CSRF not refreshed

[michilehr]

Hi everybody,

at first I want to thank everybody behind this project! Awesome work.

I have a question:

A user clicks on a form, enters his data and sends the form after the session has expired. Maybe he was on the phone, closed his laptop or whatever. When he comes back, he posts the form which results in a csrf validation error.
Now the csrf token will still be the old one on the form with the error. In Symfony2, the user will have the new token so he can post the form with the data already entered.

What's your opinion on this behaviour?

Cheers Michi

[j0k3r]

Well, if you got time to backport the behavior from Symfony2 you can open a PR.
Or maybe you should upgrade your project to Symfony 2 :)

[michilehr]

@j0k3r Thanks for your reply. This was not a feature request. I just wanted to get feedback on the behaviour :)

[alquerci]

Hello @michilehr,

Thank you to take time to share this issue.

As a security related issue we need to be very careful about it.

Can you share us the reference on Symfony4 about this behaviour?