0

i have website A is a static html page and website B is a symfony script . i was trying to implement a login form in website A to website B using iframe . both website support https , but i've faced 2 issues , 1st issue is the security protocol in the browser will not allow me to send data between 2 website using https and not same domain .

2end. so i added the login form html codes into website A but when i attempt to login after redirecting to website B i've got and error from Symfony invalid CSRF.

is it possible i can generate CSRF code in website A or i should disable the CSRF protection in website B to make this work ?

Noob
  • 2,857
  • 6
  • 33
  • 47
  • CSRF tokens are intended to be unique (to a certain context), so that they can’t be guessed and replayed. Generating a single one for your static site would defeat the purpose. [This answer](https://stackoverflow.com/a/15350123/231316), along with others on the page, talks about why disabling CSRF on a login is not recommended. – Chris Haas Sep 19 '21 at 14:54
  • @ChrisHaas but since CSRF token based on a combination is it possible i can generate 1 into the A website before i submit to B ? – Noob Sep 20 '21 at 06:53
  • If **A** is static, no. But if **A** can dynamically call **B** to get a token, then yes. I'm pretty certain that the call would need to be server side, too, although if the **A** server signed the request (once again, server side) then I think that it could be done client-side. – Chris Haas Sep 20 '21 at 13:26
  • @ChrisHaas , yes A is a dynamic its a php version site , i believe i can make it call B to request a token , but how i can manage this on symfony ? – Noob Sep 20 '21 at 13:34

0 Answers0