[FIXED] Invalid CSRF token as a result of session cookie not being set when visiting login form directly

Issue

Updating this post following further investigation to ensure it is focussed on the actual issue (also now raised at: https://github.com/symfony/symfony/issues/42691)

My Environment

I am running:

• Symfony 5.3.6
• PHP version 7.3
• Debian 10 running on WSL2
• Symfony development server on localhost, accessed via Chrome on the same machine

Description & What I'm Trying to Achieve

• I am trying to implement a secure login form by following the Symfony tutorial (https://symfony.com/doc/current/security/form_login_setup.html).
• I get the error message "Invalid CSRF token." on the first login attempt but not subsequent login attempts.
• Following debugging (using Xdebug 3) it appears Symfony is not creating a session to link a CSRF token to.

Steps to Reproduce

• Created a new Symfony project using symfony new test_project
• Installed the maker bundle using composer require symfony/maker-bundle --dev
• Followed the security set-up guide (https://symfony.com/doc/current/security.html) sections 1-2
• Generated a login form using make:auth command following this guide https://symfony.com/doc/current/security/form_login_setup.html
• Accessed https://localhost:8000/login
• Submit the login form with a valid username and password pair, along with the hidden pre-generated CSRF token

The Outcome I Was Expecting

• A registered user being able to login at https://localhost:8000/login

The Actual Outcome

• When accessing https://localhost:8000/login, no cookie is set
• When submitting the login form including the CSRF token, as there is no cookie with this request, Symfony finds no session, and so naturally finds no CSRF token
• As there is no CSRF token Symfony throwns an exception "Invalid CSRF token.". The response headers of this include a cookie that represents a session (assuming automatically, as I have followed the Symfony tutorial)
• When submitting the login form for the second time, as there is a cookie sent in the request headers, Symfony "finds" the CSRF token on the session and so the login works as expected

Solution

After posting on Symfony's github, their response helped me uncover the issue. Here is my post for interest.

It appears the issue was that I was using PHP 7.3 which has reached its end of life. I managed to keep all my original configuration settings in security.yaml and framework.yaml the same and get my own Symfony project to now work. However, there was nothing in Symfony that alerted me that PHP 7.3 would be incompatible.

What I did

• Upgraded to PHP 8.0.10 following this guide

The outcome

• I no longer get the CSRF error and my login functionality all works as expected on my own Symfony project.

Answered By - Lushawn