问题
I need to completely disable the control of the CSRF token for my application. I tried to use:
public function beforeFilter(Event $event)
{
$this->getEventManager()->off($this->Csrf);
}
In AppController but it does not seem to work. Manual link: Disabling the CSRF Component for Specific Actions
I did a lot of tests, read many posts but I could not solve.
Ty.
@omerowitz This is my AppController before filter action:
public function beforeFilter(Event $event)
{
$this->getEventManager()->off($this->Security);
if($this->request->is('post')) {
$this->getEventManager()->off($this->Csrf);
}
$this->Auth->allow(['index', 'view', 'display']);
}
but it still does not work, I still have the error 'CSRF token mismatch.' when I effect a request with postman
SOLUTION:
I have remove this :
->add(new CsrfProtectionMiddleware([
'httpOnly' => true
]));
From Application.php. Why this is not indicated in the manual?
Ty all!
回答1:
I think in Cake 3.6 You should remove CsrfProtectionMiddleware from middleware queue:
src/Application.php
回答2:
You also need to disable Security component. I use this for my API controllers:
$this->getEventManager()->off($this->Security);
if($this->request->is('post')) {
$this->getEventManager()->off($this->Csrf);
}
I disable it only for POST requests, although disabling both Security and Csrf will work as well.
Edit: I put it in my AppController, although it will work per-controller.
Security component seems to enable CSRF and Form Tampering.
https://book.cakephp.org/3.0/en/controllers/components/security.html
回答3:
You can try this
public function beforeFilter(Event $event)
{
$this->getEventManager()->makeMess($this->Csrf);
}
It's working for me!
You also try with Python Language or Symfony 2.8.
回答4:
//Src/Application.php
public function middleware($middlewareQueue)
{
$middlewareQueue
// Catch any exceptions in the lower layers,
// and make an error page/response
->add(ErrorHandlerMiddleware::class)
// Handle plugin/theme assets like CakePHP normally does.
->add(new AssetMiddleware([
'cacheTime' => Configure::read('Asset.cacheTime')
]))
// Add routing middleware.
// Routes collection cache enabled by default, to disable route caching
// pass null as cacheConfig, example: `new RoutingMiddleware($this)`
// you might want to disable this cache in case your routing is extremely simple
->add(new RoutingMiddleware($this, '_cake_routes_'));
// Add csrf middleware.
//Comment following Code.
/* ->add(new CsrfProtectionMiddleware([
'httpOnly' => true
]));*/
return $middlewareQueue;
}
//Your perticular controller in my case //UsersController :
public function beforeFilter(Event $event)
{
parent::beforeFilter($event);
$this->viewBuilder()->layout('admin');
$this->getEventManager()->off($this->Security);
}
// for initialize method
public function initialize()
{
parent::initialize();
$this->loadComponent('RequestHandler');
$this->loadComponent('Security');
}
Try this It's working...
回答5:
In CakePHP 3.6.10:
- go to src/Application.php
- Search function middleware
Comment the below line:
->add(new CsrfProtectionMiddleware([ 'httpOnly' => true ]));
This would completely disable CSRF token check.
回答6:
I'm using whitelistCallback for special prefix or action array
// in src/Application.php
use Cake\Http\Middleware\CsrfProtectionMiddleware;
public function middleware($middlewareQueue) {
$csrf = new CsrfProtectionMiddleware();
// Token check will be skipped when callback returns `true`.
$csrf->whitelistCallback(function ($request) {
// Skip token check for API URLs.
if ($request->getParam('prefix') === 'api') {
return true;
}
});
// Ensure routing middleware is added to the queue before CSRF protection middleware.
$middlewareQueue->add($csrf);
return $middlewareQueue;
}
来源:https://stackoverflow.com/questions/52147836/cakephp-3-6-10-disable-completely-csrf-token-check