[solved] CSRF cookie not found by Angular front app (3.6.10)

Hello,

I am using a REST API and migrating.
I can see the CSRF cookie with debugKit.

When I get all Cookies from AngularJS 1.5.3 I can only get the XDEBUG_SESSION cookie as well as the others : GA cookies and cookies I am adding with angular.
Neither the CAKEPHP and csrfToken are read.

Here is my config in app.php
<?php

public function middleware($middlewareQueue)
    {
        $middlewareQueue
            // Catch any exceptions in the lower layers,
            // and make an error page/response
            ->add(ErrorHandlerMiddleware::class)

            // Handle plugin/theme assets like CakePHP normally does.
            ->add(AssetMiddleware::class)

            // Add routing middleware.
            // Routes collection cache enabled by default, to disable route caching
            // pass null as cacheConfig, example: `new RoutingMiddleware($this)`
            // you might want to disable this cache in case your routing is extremely simple
            ->add(new RoutingMiddleware($this, '_cake_routes_'))


            // Add csrf middleware.
            ->add(new CsrfProtectionMiddleware([
                'httpOnly'      => false,
                'cookieName'    => 'totoCSRF'
            ]));

        return $middlewareQueue;
    }

What am I missing?
Thank you for your help

This may help: Ajax jquery Error cakephp 3.6.10 (Solved)

1 Like

Thanks for your answer.
I read it before (I am trying to read every post before adding a question). Here they read the hidden field, which is not possible with angular (except if you know a trick)
On my side, I am trying to read the cookie.
I kept trying:

  • from CakePHP : I can read the cookies I am adding using angular
  • from Angular : I can read only cookies created appart from CakePHP

Something in my configuration must prevent it, but I could find it reading the cookbook.

Kitcat

I do not know. What I would try is to disable CSRF and see is there any difference.

Here is my solution:
In the Application.php file, the CSRF section of the MiddleWare function must have the httpOnly parameter set to false in order to make it readable by the JS script.

public function middleware($middlewareQueue)
{
    $middlewareQueue

        // Add csrf middleware.
        ->add(new CsrfProtectionMiddleware([
            'httpOnly'      => false, //Pour permettre le fonctionnement des API
        ]));

    return $middlewareQueue;
}

I am not sure though that this is clean or even a bug, because httpOnly means to me that a http request through AJAX should work fine too, but I may be misleaded on this one.

See https://www.owasp.org/index.php/HttpOnly for some more information.

Basically httpOnly means that the cookie can not be read or written by any client side/JS code, including AJAX.

1 Like

Thanx, I figured that out :wink:
Not sure if the way I made it work is the best… but it works.
Thank you again for your help.