I’ve read through the other topics with this same issue but none apply to my situation.
- I am getting this error from standard form posts (no AJAX at the moment).
- I am using the middleware like this:
->add(new CsrfProtectionMiddleware([
'httpOnly' => true
]))
I can verify that the form contains the CSRF token and that it matches my browser’s cookie.
However, I can also verify that I’m losing the $post variable when the middleware is run through its second pass (the response side). I’m debugging here:
vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php (Line 198)
protected function _validateToken(ServerRequest $request)
{
$cookies = $request->getCookieParams();
$cookie = Hash::get($cookies, $this->_config['cookieName']);
$post = Hash::get($request->getParsedBody(), $this->_config['field']);
$header = $request->getHeaderLine('X-CSRF-Token');
if (!$cookie) {
throw new InvalidCsrfTokenException(__d('cake', 'Missing CSRF token cookie'));
}
# var_dump($post); var_dump($cookie);
if (!Security::constantEquals($post, $cookie) && !Security::constantEquals($header, $cookie)) {
throw new InvalidCsrfTokenException(__d('cake', 'CSRF token mismatch.'));
}
}
- On the first pass, the values match.
- On the second pass,
$postisnull.
What could cause this?