From 5fdc49fecd73fa0c2ee42b5ec2ef80a33f40f066 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20Rubio?= Date: Mon, 19 Jun 2017 13:27:59 +0200 Subject: [PATCH] Return null when csrfToken is not valid I am not 100% sure of this change, but throwing an `InvalidCsrfTokenException` when the csrfToken is not valid makes the framework redirect to the url returned by `getLoginUrl` method, and from there, it keeps redirecting in a loop until the browser kills the redirections. According to the documentation for `getCredentials` method, it should return `null` when there is some parameter missing, so I guess `null` is the correct value to return when the csrfToken validation fails. --- security/guard_authentication.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/guard_authentication.rst b/security/guard_authentication.rst index 52f8d644a87..c1b940e92a3 100644 --- a/security/guard_authentication.rst +++ b/security/guard_authentication.rst @@ -505,7 +505,7 @@ and add the following logic:: $csrfToken = $request->request->get('_csrf_token'); if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken('authenticate', $csrfToken))) { - throw new InvalidCsrfTokenException('Invalid CSRF token.'); + return null; } // ... all your normal logic