How can I protect the logout action? I read default configuration, and set
logout:
csrf_parameter: _token
csrf_provider: ~
intention: logout
but when I'm trying to clear cache the following error displayed:
[Symfony\Component\Config\Definition\Exception\InvalidConfigurationException] Unrecognized options "csrf_provider" under "security.firewalls.main.logout"
I'm using Symfony 2.4 + FOSUserBundle 1.3.
I've researched the Symfony's code and find that now csrf_provider option renamed to csrf_token_generator. Then I googled and found related issue on GitHub. So the problem in an unsynchronized documentation.
The final solution is:
configuration:
# app/config/security.yml
security:
# ...
firewalls:
# ...
your_firewall_name:
# ...
logout:
# ...
csrf_token_generator: your_csrf_provider # e.g. form.csrf_provider
twig template:
<a href="{{ logout_url('your_firewall_name') }}">Logout</a>
Note, that we're using logout_url() instead of logout_path() due to helper bug (it generates absolute path without app_dev.php suffix in dev environment). Theese twig helpers appends %token_parameter% to your logout URI, e.g. http://example.com/app_dev.php/logout?_csrf_token=36wX6HYU2ASeZBQw_iwKcUDbplmFm4W7Ez-tMaavDNo.
Hope this information will be helpful.