You need to skip CSRF for all actions that might be called during login (eg. other plugins default actions on a page a login can happen).
@bwaidelich I am sure we talked about this before. The problem is that you get authenticated (via POST) very early and then every subrequest action only knows that this is a POST request and you are logged in, which incurs CSRF protection but you couldn’t have known the token because it was the login request…
Just to recap: The CSRF protection is only required, if all of the following is true:
Not a safe request (POST, DELETE, …)
An account is authenticated
Authorization checks are not disabled
There is a policy protecting the target method
The target action is not annotated with SkipCsrfProtection
you should be able to disable/overrule the ‘Neos.Flow:CsrfProtection’ firewall filter, but that would reduce the security of your Neos installation. The CSRF filter also protects your Neos Backend!
Probably the easiest and cleanest solution is not to have any method invoked that requires authentication directly after the login. In practice that means: Do a redirect right after authentication. The FE Login Plugin has properties for “Page after login” and “Page after logout” that should do the trick.
/**
* Will be triggered upon successful authentication
*
* @param ActionRequest $originalRequest The request that was intercepted by the security framework, NULL if there was none
* @return string
*/
protected function onAuthenticationSuccess(ActionRequest $originalRequest = NULL) {
if ($originalRequest !== NULL) {
$this->redirectToRequest($originalRequest);
}
$this->response->setStatus(303);
$this->response->setHeader(‘Location’, “/login/account.html”);
}