CSRF Middleware

JadedCore · September 28, 2017, 2:15pm

Now that CSRF protection has been moved to middleware I am not finding a convenient way to turn it off within the application for certain actions. This seems to become an issue when you are trying to implement RESTful API endpoints within the application. Are there any plans to facilitate the activation/deactivation of CSRF protection for defined actions?

I was also noticing that when submitting AJAX requests back to the server it is being recommended to retrieve the CSRF token from the csrfToken Cookie. If the cookie is set to secure and httpOnly, (which I believe is best practice), you will not be able to retrieve the token this way. You would need to use $this->request->getParam(’_csrfToken’). Is there a reason this would not be the case?

mcf · October 4, 2017, 3:01am

There is an issue on github that discusses this problem. Unfortunately there is not a “drop in” replacement for the older Csrf component feature in the new middleware. You will have to work a bit harder to come up with the new way. If you do sort it out a concrete example please add a note to the github issue:

https://github.com/cakephp/app/issues/540

Topic		Replies	Views
Cakephp 3.7 REST Api issue "Missing CSRF token cookie" Need Help	5	2735	May 16, 2020
How diable csrfToken in form Need Help	3	697	May 16, 2022
Secure logout using CSRF token Need Help	2	425	December 6, 2022
"CSRF token mismatch" (Cake 3.7.9)	0	888	September 23, 2019
Unlockfield with Ajax Need Help	9	327	February 15, 2023

CSRF Middleware

Releases

Documentation

Community

CSRF Middleware

Related Topics

Releases

Documentation

Community