I am using a REST API and migrating.
I can see the CSRF cookie with debugKit.
When I get all Cookies from AngularJS 1.5.3 I can only get the XDEBUG_SESSION cookie as well as the others : GA cookies and cookies I am adding with angular.
Neither the CAKEPHP and csrfToken are read.
Here is my config in app.php
<?php
public function middleware($middlewareQueue)
{
$middlewareQueue
// Catch any exceptions in the lower layers,
// and make an error page/response
->add(ErrorHandlerMiddleware::class)
// Handle plugin/theme assets like CakePHP normally does.
->add(AssetMiddleware::class)
// Add routing middleware.
// Routes collection cache enabled by default, to disable route caching
// pass null as cacheConfig, example: `new RoutingMiddleware($this)`
// you might want to disable this cache in case your routing is extremely simple
->add(new RoutingMiddleware($this, '_cake_routes_'))
// Add csrf middleware.
->add(new CsrfProtectionMiddleware([
'httpOnly' => false,
'cookieName' => 'totoCSRF'
]));
return $middlewareQueue;
}
Thanks for your answer.
I read it before (I am trying to read every post before adding a question). Here they read the hidden field, which is not possible with angular (except if you know a trick)
On my side, I am trying to read the cookie.
I kept trying:
from CakePHP : I can read the cookies I am adding using angular
from Angular : I can read only cookies created appart from CakePHP
Something in my configuration must prevent it, but I could find it reading the cookbook.
Here is my solution:
In the Application.php file, the CSRF section of the MiddleWare function must have the httpOnly parameter set to false in order to make it readable by the JS script.
public function middleware($middlewareQueue)
{
$middlewareQueue
// Add csrf middleware.
->add(new CsrfProtectionMiddleware([
'httpOnly' => false, //Pour permettre le fonctionnement des API
]));
return $middlewareQueue;
}
I am not sure though that this is clean or even a bug, because httpOnly means to me that a http request through AJAX should work fine too, but I may be misleaded on this one.