Property | Type | Description | |
---|---|---|---|
$cookieValidationKey | a secret key used for cookie validation. This property must be set if [[enableCookieValidation]] is true. | ||
$csrfCookie | the configuration for creating the CSRF [[Cookie|cookie]]. This property is used only when both [[enableCsrfValidation]] and [[enableCsrfCookie]] are true. | ||
$csrfParam | the name of the token used to prevent CSRF. Defaults to '_csrf'. This property is used only when [[enableCsrfValidation]] is true. | ||
$enableCookieValidation | whether cookies should be validated to ensure they are not tampered. Defaults to true. | ||
$enableCsrfCookie | whether to use cookie to persist CSRF token. If false, CSRF token will be stored in session under the name of [[csrfParam]]. Note that while storing CSRF tokens in session increases security, it requires starting a session for every page, which will degrade your site performance. | ||
$enableCsrfValidation | whether to enable CSRF (Cross-Site Request Forgery) validation. Defaults to true. When CSRF validation is enabled, forms submitted to an Yii Web application must be originated from the same application. If not, a 400 HTTP exception will be raised. Note, this feature requires that the user client accepts cookie. Also, to use this feature, forms submitted via POST method must contain a hidden input whose name is specified by [[csrfParam]]. You may use [[\yii\helpers\Html::beginForm()]] to generate his hidden input. In JavaScript, you may get the values of [[csrfParam]] and [[csrfToken]] via yii.getCsrfParam() and yii.getCsrfToken(), respectively. The [[\yii\web\YiiAsset]] asset must be registered. You also need to include CSRF meta tags in your pages by using [[\yii\helpers\Html::csrfMetaTags()]]. | ||
$methodParam | the name of the POST parameter that is used to indicate if a request is a PUT, PATCH or DELETE request tunneled through POST. Defaults to '_method'. | ||
$parsers | the parsers for converting the raw HTTP request body into [[bodyParams]]. The array keys are the request Content-Types, and the array values are the corresponding configurations for [[Yii::createObject|creating the parser objects]]. A parser must implement the [[RequestParserInterface]]. To enable parsing for JSON requests you can use the JsonParser class like in the following example: [ 'application/json' => 'yii\web\JsonParser', ] To register a parser for parsing all request types you can use '*' as the array key. This one will be used as a fallback in case no other types match. |
Method | Description | |
---|---|---|
get ( string $name = null, mixed $defaultValue = null ) : array | mixed | Returns GET parameter with a given name. If name isn't specified, returns an array of all GET parameters. | |
getAbsoluteUrl ( ) : string | Returns the currently requested absolute URL. | |
getAcceptableContentTypes ( ) : array | Returns the content types acceptable by the end user. | |
getAcceptableLanguages ( ) : array | Returns the languages acceptable by the end user. | |
getAuthPassword ( ) : string | null | ||
getAuthUser ( ) : string | null | ||
getBaseUrl ( ) : string | Returns the relative URL for the application. | |
getBodyParam ( string $name, mixed $defaultValue = null ) : mixed | Returns the named request body parameter value. | |
getBodyParams ( ) : array | Returns the request parameters given in the request body. | |
getContentType ( ) : string | Returns request content-type The Content-Type header field indicates the MIME type of the data contained in Request::getRawBody or, in the case of the HEAD method, the media type that would have been sent had the request been a GET. | |
getCookies ( ) : |
Returns the cookie collection. | |
getCsrfToken ( boolean $regenerate = false ) : string | Returns the token used to perform CSRF validation. | |
getCsrfTokenFromHeader ( ) : string | ||
getETags ( ) : array | Gets the Etags. | |
getHeaders ( ) : |
Returns the header collection. | |
getHostInfo ( ) : string | null | Returns the schema and host part of the current request URL. | |
getHostName ( ) : string | null | Returns the host part of the current request URL. | |
getIsAjax ( ) : boolean | Returns whether this is an AJAX (XMLHttpRequest) request. | |
getIsDelete ( ) : boolean | Returns whether this is a DELETE request. | |
getIsFlash ( ) : boolean | Returns whether this is an Adobe Flash or Flex request. | |
getIsGet ( ) : boolean | Returns whether this is a GET request. | |
getIsHead ( ) : boolean | Returns whether this is a HEAD request. | |
getIsOptions ( ) : boolean | Returns whether this is an OPTIONS request. | |
getIsPatch ( ) : boolean | Returns whether this is a PATCH request. | |
getIsPjax ( ) : boolean | Returns whether this is a PJAX request | |
getIsPost ( ) : boolean | Returns whether this is a POST request. | |
getIsPut ( ) : boolean | Returns whether this is a PUT request. | |
getIsSecureConnection ( ) : boolean | Return if the request is sent via secure channel (https). | |
getMethod ( ) : string | Returns the method of the current request (e.g. GET, POST, HEAD, PUT, PATCH, DELETE). | |
getPathInfo ( ) : string | Returns the path info of the currently requested URL. | |
getPort ( ) : integer | Returns the port to use for insecure requests. | |
getPreferredLanguage ( array $languages = [] ) : string | Returns the user-preferred language that should be used by this application. | |
getQueryParam ( string $name, mixed $defaultValue = null ) : mixed | Returns the named GET parameter value. | |
getQueryParams ( ) : array | Returns the request parameters given in the [[queryString]]. | |
getQueryString ( ) : string | Returns part of the request URL that is after the question mark. | |
getRawBody ( ) : string | Returns the raw HTTP request body. | |
getReferrer ( ) : string | null | Returns the URL referrer. | |
getScriptFile ( ) : string | Returns the entry script file path. | |
getScriptUrl ( ) : string | Returns the relative URL of the entry script. | |
getSecurePort ( ) : integer | Returns the port to use for secure requests. | |
getServerName ( ) : string | Returns the server name. | |
getServerPort ( ) : integer | null | Returns the server port number. | |
getUrl ( ) : string | Returns the currently requested relative URL. | |
getUserAgent ( ) : string | null | Returns the user agent. | |
getUserHost ( ) : string | null | Returns the user host name. | |
getUserIP ( ) : string | null | Returns the user IP address. | |
parseAcceptHeader ( string $header ) : array | Parses the given Accept (or Accept-Language) header. | |
post ( string $name = null, mixed $defaultValue = null ) : array | mixed | Returns POST parameter with a given name. If name isn't specified, returns an array of all POST parameters. | |
resolve ( ) : array | Resolves the current request into a route and the associated parameters. | |
setAcceptableContentTypes ( array $value ) | Sets the acceptable content types. | |
setAcceptableLanguages ( array $value ) | ||
setBaseUrl ( string $value ) | Sets the relative URL for the application. | |
setBodyParams ( array $values ) | Sets the request body parameters. | |
setHostInfo ( string | null $value ) | Sets the schema and host part of the application URL. | |
setPathInfo ( string $value ) | Sets the path info of the current request. | |
setPort ( integer $value ) | Sets the port to use for insecure requests. | |
setQueryParams ( array $values ) | Sets the request [[queryString]] parameters. | |
setRawBody ( string $rawBody ) | Sets the raw HTTP request body, this method is mainly used by test scripts to simulate raw HTTP requests. | |
setScriptFile ( string $value ) | Sets the entry script file path. | |
setScriptUrl ( string $value ) | Sets the relative URL for the application entry script. | |
setSecurePort ( integer $value ) | Sets the port to use for secure requests. | |
setUrl ( string $value ) | Sets the currently requested relative URL. | |
validateCsrfToken ( string $token = null ) : boolean | Performs the CSRF validation. |
Method | Description | |
---|---|---|
createCsrfCookie ( string $token ) : |
Creates a cookie with a randomly generated CSRF token. | |
generateCsrfToken ( ) : string | Generates an unmasked random token used to perform CSRF validation. | |
loadCookies ( ) : array | Converts $_COOKIE into an array of Cookie. | |
loadCsrfToken ( ) : string | Loads the CSRF token from cookie or session. | |
resolvePathInfo ( ) : string | Resolves the path info part of the currently requested URL. | |
resolveRequestUri ( ) : string | boolean | Resolves the request URI portion for the currently requested URL. |
Method | Description | |
---|---|---|
validateCsrfTokenInternal ( string $token, string $trueToken ) : boolean | Validates CSRF token | |
xorTokens ( string $token1, string $token2 ) : string | Returns the XOR result of two strings. |
protected createCsrfCookie ( string $token ) : |
||
$token | string | the CSRF token |
return | the generated cookie |
protected generateCsrfToken ( ) : string | ||
return | string | the random token for CSRF validation. |
public getAbsoluteUrl ( ) : string | ||
return | string | the currently requested absolute URL. |
public getAcceptableContentTypes ( ) : array | ||
return | array | the content types ordered by the quality score. Types with the highest scores will be returned first. The array keys are the content types, while the array values are the corresponding quality score and other parameters as given in the header. |
public getAcceptableLanguages ( ) : array | ||
return | array | the languages ordered by the preference level. The first element represents the most preferred language. |
public getAuthPassword ( ) : string | null | ||
return | string | null | the password sent via HTTP authentication, null if the password is not given |
public getAuthUser ( ) : string | null | ||
return | string | null | the username sent via HTTP authentication, null if the username is not given |
public getBaseUrl ( ) : string | ||
return | string | the relative URL for the application |
public getBodyParams ( ) : array | ||
return | array | the request parameters given in the request body. |
public getContentType ( ) : string | ||
return | string | request content-type. Null is returned if this information is not available. |
public getCookies ( ) : |
||
return | the cookie collection. |
public getCsrfToken ( boolean $regenerate = false ) : string | ||
$regenerate | boolean | whether to regenerate CSRF token. When this parameter is true, each time this method is called, a new CSRF token will be generated and persisted (in session or cookie). |
return | string | the token used to perform CSRF validation. |
public getCsrfTokenFromHeader ( ) : string | ||
return | string | the CSRF token sent via [[CSRF_HEADER]] by browser. Null is returned if no such header is sent. |
public getHeaders ( ) : |
||
return | the header collection |
public getHostInfo ( ) : string | null | ||
return | string | null | schema and hostname part (with port number if needed) of the request URL (e.g. `http://www.yiiframework.com`), null if can't be obtained from `$_SERVER` and wasn't set. |
public getHostName ( ) : string | null | ||
return | string | null | hostname part of the request URL (e.g. `www.yiiframework.com`) |
public getIsDelete ( ) : boolean | ||
return | boolean | whether this is a DELETE request. |
public getIsFlash ( ) : boolean | ||
return | boolean | whether this is an Adobe Flash or Adobe Flex request. |
public getIsOptions ( ) : boolean | ||
return | boolean | whether this is a OPTIONS request. |
public getIsPatch ( ) : boolean | ||
return | boolean | whether this is a PATCH request. |
public getIsSecureConnection ( ) : boolean | ||
return | boolean | if the request is sent via secure channel (https) |
public getPathInfo ( ) : string | ||
return | string | part of the request URL that is after the entry script and before the question mark. Note, the returned path info is already URL-decoded. |
public getPreferredLanguage ( array $languages = [] ) : string | ||
$languages | array | a list of the languages supported by the application. If this is empty, the current application language will be returned without further processing. |
return | string | the language that the application should use. |
public getQueryParams ( ) : array | ||
return | array | the request GET parameter values. |
public getQueryString ( ) : string | ||
return | string | part of the request URL that is after the question mark |
public getRawBody ( ) : string | ||
return | string | the request body |
public getReferrer ( ) : string | null | ||
return | string | null | URL referrer, null if not available |
public getScriptFile ( ) : string | ||
return | string | the entry script file path |
public getScriptUrl ( ) : string | ||
return | string | the relative URL of the entry script. |
public getSecurePort ( ) : integer | ||
return | integer | port number for secure requests. |
public getServerName ( ) : string | ||
return | string | server name, null if not available |
public getServerPort ( ) : integer | null | ||
return | integer | null | server port number, null if not available |
public getUserAgent ( ) : string | null | ||
return | string | null | user agent, null if not available |
public getUserHost ( ) : string | null | ||
return | string | null | user host name, null if not available |
protected loadCookies ( ) : array | ||
return | array | the cookies obtained from request |
protected loadCsrfToken ( ) : string | ||
return | string | the CSRF token loaded from cookie or session. Null is returned if the cookie or session does not have CSRF token. |
public parseAcceptHeader ( string $header ) : array | ||
$header | string | the header to be parsed |
return | array | the acceptable values ordered by their quality score. The values with the highest scores will be returned first. |
protected resolvePathInfo ( ) : string | ||
return | string | part of the request URL that is after the entry script and before the question mark. Note, the returned path info is decoded. |
protected resolveRequestUri ( ) : string | boolean | ||
return | string | boolean | the request URI portion for the currently requested URL. Note that the URI returned is URL-encoded. |
public setAcceptableContentTypes ( array $value ) | ||
$value | array | the content types that are acceptable by the end user. They should be ordered by the preference level. |
public setAcceptableLanguages ( array $value ) | ||
$value | array | the languages that are acceptable by the end user. They should be ordered by the preference level. |
public setBaseUrl ( string $value ) | ||
$value | string | the relative URL for the application |
public setBodyParams ( array $values ) | ||
$values | array | the request body parameters (name-value pairs) |
public setHostInfo ( string | null $value ) | ||
$value | string | null | the schema and host part of the application URL. The trailing slashes will be removed. |
public setPathInfo ( string $value ) | ||
$value | string | the path info of the current request |
public setQueryParams ( array $values ) | ||
$values | array | the request query parameters (name-value pairs) |
public setRawBody ( string $rawBody ) | ||
$rawBody | string | the request body |
public setScriptFile ( string $value ) | ||
$value | string | the entry script file path. |
public setScriptUrl ( string $value ) | ||
$value | string | the relative URL for the application entry script. |
public setSecurePort ( integer $value ) | ||
$value | integer | port number. |
public validateCsrfToken ( string $token = null ) : boolean | ||
$token | string | the user-provided CSRF token to be validated. If null, the token will be retrieved from the [[csrfParam]] POST field or HTTP header. This parameter is available since version 2.0.4. |
return | boolean | whether CSRF token is valid. If [[enableCsrfValidation]] is false, this method will return true. |
public $cookieValidationKey |
public $csrfCookie |
public $csrfParam |
public $enableCookieValidation |
public $enableCsrfCookie |
public $enableCsrfValidation |
public $methodParam |
public $parsers |