[Security] Document CSRF protection for LogoutListener

2012-03-05 12:47:46 -05:00 · 2012-03-05 12:47:46 -05:00 · 654beeec26
commit 654beeec26
parent 97dc9c062f
1 changed files with 22 additions and 0 deletions
--- a/CHANGELOG-2.1.md
+++ b/CHANGELOG-2.1.md
@ -103,6 +103,28 @@ To get the diff between two versions, go to https://github.com/symfony/symfony/c
   fired on authentication success/failure, regardless of authentication method,
   events are defined in new event class: `Symfony\Component\Security\Core\AuthenticationEvents`.

+ * Added optional CSRF protection to LogoutListener:
+
+   ``` yaml
+   security:
+       firewalls:
+           default:
+               logout:
+                   path: /logout_path
+                   target: /
+                   csrf_parameter: _csrf_token        # Optional (defaults to "_csrf_token")
+                   csrf_provider:  form.csrf_provider # Required to enable protection
+                   intention:      logout             # Optional (defaults to "logout")
+   ```
+
+   If the LogoutListener has CSRF protection enabled but cannot validate a token,
+   then a LogoutException will be thrown.
+
+ * Added `logout_url` templating helper and Twig extension, which may be used to
+   generate logout URL's within templates. The security firewall's config key
+   must be specified. If a firewall's logout listener has CSRF protection
+   enabled, a token will be automatically added to the generated URL.
+
 ### SwiftmailerBundle

 * This bundle has been moved to its own repository (https://github.com/symfony/SwiftmailerBundle)