Basically, session Exception is thrown in Form's __construct() so $form->disableCsrfProtection() is never called.
On 18 nov, 17:57, Jordi Boggiano <[email protected]> wrote: > On 18.11.2010 17:03, Michael wrote: > > > Since > > thishttps://github.com/fabpot/symfony/commit/a198bbcf43f2b2d4d671046f55f6... > > commit I keep getting an exception "The session must be started in > > order to generate a proper CSRF Token". > > Wouldn't it better to just start the session instead of throwing an > > error? or if I should start it, where is the best place to put it? > > The thing is that CSRF protection, without session information, is > basically impossible. So you have two options. Either you turn off the > CSRF security on that form ($form->disableCsrfProtection()), or you > start the session before using the Form, with > $request->getSession()->start() or the like. > > Cheers > > -- > Jordi Boggiano > @seldaek ::http://seld.be/ -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
