fix: [LiveComponent] CSRF token not valid after form second submit

markitosgv · web-flow · commit dd489df577b6 · 2025-08-20T11:54:48.000+02:00
Fix the “invalid CSRF token” error when working with live-components and submitting a form a second time, for example if a server-side validation fails and the form is re-rendered.
diff --git a/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js b/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js
@@ -33,8 +33,8 @@ export function generateCsrfToken (formElement) {
     if (!csrfCookie && nameCheck.test(csrfToken)) {
         csrfField.setAttribute('data-csrf-protection-cookie-value', csrfCookie = csrfToken);
         csrfField.defaultValue = csrfToken = btoa(String.fromCharCode.apply(null, (window.crypto || window.msCrypto).getRandomValues(new Uint8Array(18))));
-        csrfField.dispatchEvent(new Event('change', { bubbles: true }));
     }
+    csrfField.dispatchEvent(new Event('change', { bubbles: true }));
 
     if (csrfCookie && tokenCheck.test(csrfToken)) {
         const cookie = csrfCookie + '_' + csrfToken + '=' + csrfCookie + '; path=/; samesite=strict';

Original file line number	Diff line number	Diff line change
`@@ -33,8 +33,8 @@ export function generateCsrfToken (formElement) {`
`33`	`33`	`if (!csrfCookie && nameCheck.test(csrfToken)) {`
`34`	`34`	`csrfField.setAttribute('data-csrf-protection-cookie-value', csrfCookie = csrfToken);`
`35`	`35`	`csrfField.defaultValue = csrfToken = btoa(String.fromCharCode.apply(null, (window.crypto \|\| window.msCrypto).getRandomValues(new Uint8Array(18))));`
`36`		`- csrfField.dispatchEvent(new Event('change', { bubbles: true }));`
`37`	`36`	`}`
	`37`	`+ csrfField.dispatchEvent(new Event('change', { bubbles: true }));`
`38`	`38`
`39`	`39`	`if (csrfCookie && tokenCheck.test(csrfToken)) {`
`40`	`40`	`const cookie = csrfCookie + '_' + csrfToken + '=' + csrfCookie + '; path=/; samesite=strict';`