PHP Class Cake\Controller\Component\CsrfComponent

This component adds a CSRF token to a cookie. The cookie value is compared to request data, or the X-CSRF-Token header on each PATCH, POST, PUT, or DELETE request. If the request data is missing or does not match the cookie data, a ForbiddenException will be raised. This component integrates with the FormHelper automatically and when used together your forms will have CSRF tokens automatically added when $this->Form->create(...) is used in a view.

Inheritance: extends Cake\Controller\Component

Show file Open project: cakephp/cakephp Class Usage Examples

Protected Properties

Property	Type	Description
$_defaultConfig	array	- cookieName = The name of the cookie to send. - expiry = How long the CSRF token should last. Defaults to browser session. - secure = Whether or not the cookie will be set with the Secure flag. Defaults to false. - httpOnly = Whether or not the cookie will be set with the HttpOnly flag. Defaults to false. - field = The form field to check. Changing this will also require configuring FormHelper.

Public Methods

Method	Description
implementedEvents ( ) : array	Events supported by this component.
startup ( Cake\Event\Event $event ) : void	Startup callback.

Protected Methods

Method	Description
_setCookie ( Cake\Network\Request $request, Response $response ) : void	Set the cookie in the response.
_validateToken ( Cake\Network\Request $request ) : void	Validate the request data against the cookie token.

Method Details

_setCookie() protected method

Also sets the request->params['_csrfToken'] so the newly minted token is available in the request data.

protected _setCookie ( Cake\Network\Request $request, Response $response ) : void
$request	Cake\Network\Request	The request object.
$response	Cake\Network\Response	The response object.
return	void

_validateToken() protected method

Validate the request data against the cookie token.

protected _validateToken ( Cake\Network\Request $request ) : void
$request	Cake\Network\Request	The request to validate against.
return	void

implementedEvents() public method

Events supported by this component.

public implementedEvents ( ) : array
return	array

startup() public method

Validates the CSRF token for POST data. If the request is a GET request, and the cookie value is absent a cookie will be set. Once a cookie is set it will be copied into request->params['_csrfToken'] so that application and framework code can easily access the csrf token. RequestAction requests do not get checked, nor will they set a cookie should it be missing.

public startup ( Cake\Event\Event $event ) : void
$event	Cake\Event\Event	Event instance.
return	void

Property Details

$_defaultConfig protected property

- cookieName = The name of the cookie to send. - expiry = How long the CSRF token should last. Defaults to browser session. - secure = Whether or not the cookie will be set with the Secure flag. Defaults to false. - httpOnly = Whether or not the cookie will be set with the HttpOnly flag. Defaults to false. - field = The form field to check. Changing this will also require configuring FormHelper.

protected array $_defaultConfig
return	array