CSRF Middleware

Now that CSRF protection has been moved to middleware I am not finding a convenient way to turn it off within the application for certain actions. This seems to become an issue when you are trying to implement RESTful API endpoints within the application. Are there any plans to facilitate the activation/deactivation of CSRF protection for defined actions?

I was also noticing that when submitting AJAX requests back to the server it is being recommended to retrieve the CSRF token from the csrfToken Cookie. If the cookie is set to secure and httpOnly, (which I believe is best practice), you will not be able to retrieve the token this way. You would need to use $this->request->getParam(’_csrfToken’). Is there a reason this would not be the case?

There is an issue on github that discusses this problem. Unfortunately there is not a “drop in” replacement for the older Csrf component feature in the new middleware. You will have to work a bit harder to come up with the new way. If you do sort it out a concrete example please add a note to the github issue:


1 Like