Missing CSRF token body

shravanuchil · April 11, 2020, 5:33am

I am using authentication, authorization plugins and also CSRF middle-ware.
and I am getting above error (Missing CSRF token body).

I tried to debug and i found something.
Middleware queue process one by one middlewares.
when it CSRF get processed then it get csrf token from parsebody method.
but after the process CSRF middleware unset the csrf data from the body.

and then in authentication middleware process again it calls CSRF validation and then it doesn’t find CSRF token in body(because it already unset in CSRF middleware) and it throws above error.

I fixed this by commenting unset line in CSRF.

`$body = $request->getParsedBody();

    if (is_array($body)) {

       // unset($body[$this->_config['field']]);

        $request = $request->withParsedBody($body);

    }`

please let me know is this valid behavior or am I doing something wrong.

Zuluru · April 11, 2020, 4:00pm

I checked the Authentication plugin, and “CSRF” doesn’t appear anywhere in that code. Can you explain more about “in authentication middleware process again it calls CSRF validation”?

shravanuchil · April 12, 2020, 8:15am

public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
{
    $authentication = new AuthenticationMiddleware($this);
    $middlewareQueue
        ->add(new ErrorHandlerMiddleware(Configure::read('Error')))
        ->add(new CsrfProtectionMiddleware())
        ->add($authentication)
        ->add(new AuthorizationMiddleware($this))
        ->add(new AssetMiddleware([
            'cacheTime' => Configure::read('Asset.cacheTime'),
        ]))
        ->add(new RoutingMiddleware($this));

    return $middlewareQueue;
}

This is my code and i get error while login.

dreamingmind · April 12, 2020, 5:08pm

among any other problems, I think you will have to add your RoutingMiddleware earlier. Any other middleware that tries to use logic based on Cake Routing patterns and assumptions is going to fail

shravanuchil · April 13, 2020, 6:48am

I tried adding CSRFMiddleware at the end but still same result.

Zuluru · April 13, 2020, 4:27pm

My application has them in this order:

ErrorHandler (first so it handles all errors)
Asset (next so it minimizes processing for static files)
Routing (so that the route information is available for the rest)
Body Parser (which you aren’t using, that should be fine)
CSRF (make sure that the form contents are okay)
Authentication (uses form contents to log in)
Authorization (uses authentication results, so has to be after it)

I don’t expect that just changing it to this order will fix this issue, but it may help with other problems that you haven’t run into yet. But just randomly moving CSRF to the end is also not going to be useful, the main point here is that there’s a reason why things are in their particular order. Doing CSRF checks on form contents after you’ve used the form contents to log somebody in defeats the purpose! See the middleware chapter for more about this.

Assuming that this doesn’t solve the issue for you, what you’ll need to do is look at the call stack when the error is happening. There is no reason why anything should be checking the token again after the CSRF middleware has passed processing to the next level, so seeing the execution path that’s leading to that will be critical for understanding what’s going wrong; somewhere in there, something is calling something that it shouldn’t be.

shravanuchil · April 14, 2020, 5:56am

Thanks for this, I have changed the order.

shravanuchil · April 14, 2020, 5:57am

dreamingmind · April 14, 2020, 2:51pm

Looks like you have the CSRF Middleware installed twice. You can see that is called twice in the stack-trace on the left.

shravanuchil · April 18, 2020, 11:55am

Thanks, I removed CSRF from Application.php and it worked.
but I checked but its not declared in bootstrap or app.

Zuluru · April 18, 2020, 1:33pm

If you have an integrated debugger, but a breakpoint in the constructor for the CSRF middleware. If not, dump the stack trace in that function instead. Either way will point you to where it’s being added from. It should be happening twice, once where you expect and one other place.

sudhir2518 · May 21, 2020, 6:58am

I am getting missing 'csrf token body ’ exception while doing form submission,

I added following in my application.php
->add(new CsrfProtectionMiddleware());
when the project is created through composer why there is this exception? I am new to php frameworks and I got stuck up here
how can I resolve this

Zuluru · May 21, 2020, 2:20pm

Exactly like the previous poster, your stack trace shows that you have the middleware loaded twice, once before the BodyParser and once after.

shravanuchil · May 21, 2020, 5:42pm

Don’t add ->add(new CsrfProtectionMiddleware()); in application.php
its already added somewhere else.
remove or comment ->add(new CsrfProtectionMiddleware());
it will work perfectly.

sudhir2518 · May 22, 2020, 8:32am

after removing ‘->add(new CsrfProtectionMiddleware());’ It is working now thank you

Topic		Replies	Views
How to catch "CSRF token from either the request body or request headers did not match or is missing." Need Help	6	1794	June 20, 2023
Cakephp 3.8 CSRF token mismatch Need Help release	16	4137	March 20, 2020
CSRF error in Ajax POST request Need Help	5	4886	November 18, 2020
"CSRF token mismatch" (Cake 3.7.9)	0	980	September 23, 2019
Cakephp 3.7 REST Api issue "Missing CSRF token cookie" Need Help	6	3260	May 14, 2024

Missing CSRF token body

Releases

Documentation

Community

Missing CSRF token body

Related topics

Releases

Documentation

Community