Why does $form['_csrf_token']->render(); render a hidden input without a value in symfony 1.4.8?

Question

I using symfony 1.4.8 and when trying to render the hidden csrf form field a value is not being added to the rendered field. I've done this before without issue. See the following to examples below to see the code and the rendered output.

Code:

<?php echo $form['_csrf_token']->render(); ?>

Generates:

<input type="hidden" name="contact[_csrf_token]" id="contact__csrf_token" />

---

Code:

<?php echo $form['_csrf_token']->renderRow(); ?>

Generates:

<tr>
  <th><label for="contact__csrf_token"> csrf token</label></th>
  <td><input type="hidden" name="contact[_csrf_token]" value="3cf960d4553e2649f86d0ccd12a26efe" id="contact__csrf_token" /></td>
</tr>

---

As you can see the second method generates the value for the csrf_token, but it also generates all the other row information. The render() method is supposed to just generate the 'widget' (in this case the hidden input field) with the value. For some reason it does not add a value.

Answer 1

Why do you need to explicitly render it? Why are you not using $form->renderHiddenFields() ?

Answer 2

Use $form->renderHiddenFields() instead.

Answer 3

You have to do a hard refresh. Something is stuck in your session.

Hard refresh is Shift+F5

If that fails, delete all your domain cookies for your domain and try again.

It is simply a session issue, provided you've not messed with csrf elsewhere.

Answer 4

Although there are some many different reasons for this behavior in symfony:

• Do not use bind before process form validation.
• Session time is over and there is no session id.
• CSRF Validation is disabled or have not being set a csrf_secret value in settings.yml file

I present a quick solution to get CSRF Token value directly printed:

<input type="hidden" name="signin[_csrf_token]" id="signin__csrf_token" value="<?php echo $form->getCSRFToken(); ?>" />

Using:

$form->getCSRFToken();

will render a new generated CSRF Token.