Fosuserbundle: Invalid token on form login

Same issue for me with php7.1-fpm and Debian 8
The temporary solution is downgrade friendsofsymfony/user-bundle to v2.0.2

Can you give more details about the error you are getting ?

i have received the notification : token CSRF is invalid

i don't know how can i give you more details ? if you explain me i can provide more capture or information. Sorry.

Hi you need to add the following configuration to config/packages/framework.yaml:

framework:
    # ...
    csrf_protection: { enabled: true }
    templating:
        engines: ['twig']

And with symfony 4 you don't need to set permissions of var/cache or var/log folder
Check the current documentation :
https://symfony.com/doc/current/setup/file_permissions.html

Hi,

The problem persist :

• FosUserBundle v2.0.1 => this works, no change
• FosUserBundle v2.1.1 => don't works, no change

I give you my log :

[2018-02-21 10:57:44] security.INFO: Authentication request failed. {"exception":"[object] (Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException(code: 0): Invalid CSRF token. at /home/user/projects/app.com/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php:76)"} []

With v2.1.1 of the bundle, the hidden field _csrf_token is not injected to the login form.
I think the problem comes from there.

My Symfony version is 3.3.16

well, are you overriding the controller or the route definition in your project ?

I have overriding controller as :

class SecurityController extends FosController
{
    public function renderLogin(array $data)
    {
        $requestAttributes = $this->container->get('request_stack')->getCurrentRequest()->attributes;

        if ('admin_login' === $requestAttributes->get('_route')) {
            $template = sprintf('UserBundle:Security:login_admin.html.twig');
        } else {
            $template = sprintf('UserBundle:Security:login.html.twig');
        }

        return $this->container->get('templating')->renderResponse($template, $data);
    }
}

I have overriding routing like this :

admin_login:
    path:  /{_locale}/back-office/login
    requirements:
        _locale: "%locales_authorized%"
    defaults:
        _controller: FOSUserBundle:Security:login
        _locale: "%locale%"

fos_user:
    resource: "@FOSUserBundle/Resources/config/routing/security.xml"
    prefix: /{_locale}
    requirements:
        _locale: "%locales_authorized%"
    defaults:
        _locale: "%locale%"

I have overriding forms, do you need this code ?

Got the same problem but found a solution. I had to replace this part:

{% if csrf_token %}
    <input type="hidden" name="_csrf_token" value="{{ csrf_token }}" />
{% endif %}

with:

<input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}"/>

Great that's work on both version
2.0.1
2.1.1

That's solve my problem. Thanks @pmdevelopment
How can i prevent this kind of evolution ?

I think it's a bug that will be fixed. In the release 2.1.1 is played with the session and this is needed for the CSRF, there could be a connection.

Well, the thing is, your route is referencing the FOSUserBundle:Security:login controller (hoping for it to actually use your class thanks to bundle inheritance). But the FOSUserBundle class now gets the csrf token manager in its constructor (using DI). As you don't pass one, the code assumes that there is no CSRF layer in your project.

Changing your template to generate the CSRF token itself instead of relying on the controller to do it indeed works (we cannot do it in the bundle, as this would break projects without the CSRF layer). But you might face issues later related to overriding of controllers.

I suggest you to create your own controller from scratch for your login (simplifying the handling of using 2 templates, as you could then have 2 different actions). Most of the logic which exists in the FOSUserBundle controller can be replaced by this code using helpers provided in Symfony:

$authUtils = $this->get('security.authentication_utils');

$error = $authUtils->getLastAuthenticationError();
$lastUsername = $authUtils->getLastUsername();

Oh it's the 2.1.0 release that's causing the issue. I am not overriding the FOSUserBundle controllers, but importing them targeted in my routing.yml and that's what i am doing wrong:

fos_user_security_login:
    path:  /login
    defaults: { _controller: FOSUserBundle:Security:login }

The right way now is:

fos_user_security_login:
    path:  /login
    controller: fos_user.security.controller:loginAction

Thanks for your help and your tips.

Can i ask a sample method which can i use for override controller ?
I would like to do this with best practice, but i don't know how.

We got the same issue in a project and updated fosuserbundle to a lower version :

"friendsofsymfony/user-bundle": "v2.0.2",

I also found this issue when playing with subdomain-independent login. By default session cookie is set to "domain.com", I changed it to ".domain.com" then back. I ended up with two cookies with different session IDs. Cleaned them up and all works fine.

I'm posting this solution here because it's first Google result for search of this problem.

For me it was caused by this https://stackoverflow.com/questions/29974223/symfony-pdosessionhandler-not-working-as-expected-with-postgresql#comment82665030_30118586

I had a similar problem and finally the solution was in the php.ini file

the variable post_max_size was equal to 100Mo in production mode which was not enough in order to post the token, the pseudo and password.

I get stuck 3 days with this problem xD

Check your session cookie settings. If you use the cookie_samesite parameter with value lax, then the session cookie cannot be installed under HTTP and you must change the parameter value or use HTTPS