Skip to main content

Yii2: Using csrf token

By

Yii2: Using csrf token

First, if you do not understand what is the CSRF token? and why should we use it, please refer to the following link :
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

One of the new features of Yii2 is CSRF validation enabled by default.
If you use ajax or basic form as follows :

<form action='#' method='POST'>
    ...........
</form>

You will get an error exception :

Bad Request (#400): Unable to verify your data submission

That is because you do not submit csrf token. The easiest way if you dont care about csrf just disable it in main config :

'components' => [
     'request' => [
          ....
          'enableCsrfValidation'=>false,
      ],
      .....
],

Or in Controller :

public function beforeAction($action) {
    $this->enableCsrfValidation = false;
    return parent::beforeAction($action);
}

So how to use Csrf Validation for your strong security website:

* With basic form:
- Create form with yii\widgets\ActiveForm or yii\bootstrap\ActiveForm
ActiveForm will automatically add a token in the form

Can use like this

<?php $form = ActiveForm::begin(['id' => 'login-form']); ?>
    <?= $form->field($model, 'username') ?>
    <?= $form->field($model, 'password')->passwordInput() ?>
    ....
<?php ActiveForm::end(); ?>

Or

<?php $form = ActiveForm::begin(['id' => 'login-form']); ?>
      <input type='text' name='name'/>
      .........
<?php ActiveForm::end(); ?>

* With manual form:
you must manually add CSRF token in the form

<form action='#' method='POST'>
   <input type="hidden" name="_csrf" value="<?=Yii::$app->request->getCsrfToken()?>" />
   ....
</form>

* With Ajax
- In main layout add csrfMetaTags :
<head>
   .......
   <?= Html::csrfMetaTags() ?>
</head>

- And in javascript ajax code add csrf param like this:

var csrfToken = $('meta[name="csrf-token"]').attr("content");
$.ajax({
         url: 'request',
         type: 'post',
         dataType: 'json',
         data: {param1: param1, _csrf : csrfToken},
});


source : http://zero-exception.blogspot.com/2015/01/yii2-using-csrf-token.html

Labels:

Popular posts from this blog

yii, recursive function to create category sub category hierarchy

By
Create this function in the category model file: ---------------------------------------------------------------------------------  <?php public function get_category_hr ( $cat_id , $selected_cat_id , $level_string ) { $select_str = '' ; if ( ! $level_string ) { $level_string = '' ; } if ( $cat_arr = $this -> findAll ( 'category_parent_id=' . $cat_id )) { foreach ( $cat_arr as $cat ) { $select_str .= "<option value= { $cat -> category_id } " ; if ( $selected_cat_id == $cat -> category_id ) $select_str .= ' selected' ; $select_str .= "> { $level_string }{ $cat -> category_name } </option>" ; $select_str .= $this -...
Read more

yii, Executing a SQL without calling a Model

By
yii, Executing a SQL without calling a Model <? $connection = Yii :: app () -> db ; $sql = "SELECT id,username FROM users" ; $command = $connection -> createCommand ( $sql ); $dataReader = $command -> query (); $rows = $dataReader -> readAll (); print_r ( $rows ); ?>
Read more