Symfony - CSRF field on login page is empty after session times out and unrelated form is submitted

Question

I'm using Symfony 1.4 with the sfGuardPlugin. If my session times out while I'm sitting on a page within the app, and I try to submit a form that is on that page, I will get redirected to the login page (this is good, because my session has timed out). But it thinks the login form has already been submitted, and that I've failed validation -- username, password, and CSRF are all missing and required.

Why does it think I've already submitted the login form, and why is the CSRF empty?

Now as a user I would be totally stuck, because I'm on the login page and the hidden CSRF field is empty. Even if I fill in the username and password, I can never pass validation because the CSRF is required.

I'm not really sure where to look. My sfGuardPlugin configuration is fairly standard, I think. The login page and the CSRF protection generally works fine.

The action I'm using just does $this->form->bind($request->getParameter($this->form->getName()), $request->getFiles($this->form->getName()));

Answer 1

there're some mistake you may make

1. processing the form both by get and post. add if($request->isMethod('post')) to handle form submit only by post.
2. didn't render the hidden field in the template. csrf field is hidden. using echo $form to render the entire form or $form->renderHiddenFields()