PHP Class yii\web\Request

It encapsulates the $_SERVER variable and resolves its inconsistency among different Web servers. Also it provides an interface to retrieve request parameters from $_POST, $_GET, $_COOKIES and REST parameters sent via other HTTP methods like PUT or DELETE. Request is configured as an application component in Application by default. You can access that instance via Yii::$app->request.
Since: 2.0
Author: Qiang Xue ([email protected])
Inheritance: extends yii\base\Request
Show file Open project: yiisoft/yii2 Class Usage Examples

Public Properties

Property Type Description
$cookieValidationKey a secret key used for cookie validation. This property must be set if [[enableCookieValidation]] is true.
$csrfCookie the configuration for creating the CSRF [[Cookie|cookie]]. This property is used only when both [[enableCsrfValidation]] and [[enableCsrfCookie]] are true.
$csrfParam the name of the token used to prevent CSRF. Defaults to '_csrf'. This property is used only when [[enableCsrfValidation]] is true.
$enableCookieValidation whether cookies should be validated to ensure they are not tampered. Defaults to true.
$enableCsrfCookie whether to use cookie to persist CSRF token. If false, CSRF token will be stored in session under the name of [[csrfParam]]. Note that while storing CSRF tokens in session increases security, it requires starting a session for every page, which will degrade your site performance.
$enableCsrfValidation whether to enable CSRF (Cross-Site Request Forgery) validation. Defaults to true. When CSRF validation is enabled, forms submitted to an Yii Web application must be originated from the same application. If not, a 400 HTTP exception will be raised. Note, this feature requires that the user client accepts cookie. Also, to use this feature, forms submitted via POST method must contain a hidden input whose name is specified by [[csrfParam]]. You may use [[\yii\helpers\Html::beginForm()]] to generate his hidden input. In JavaScript, you may get the values of [[csrfParam]] and [[csrfToken]] via yii.getCsrfParam() and yii.getCsrfToken(), respectively. The [[\yii\web\YiiAsset]] asset must be registered. You also need to include CSRF meta tags in your pages by using [[\yii\helpers\Html::csrfMetaTags()]].
$methodParam the name of the POST parameter that is used to indicate if a request is a PUT, PATCH or DELETE request tunneled through POST. Defaults to '_method'.
$parsers the parsers for converting the raw HTTP request body into [[bodyParams]]. The array keys are the request Content-Types, and the array values are the corresponding configurations for [[Yii::createObject|creating the parser objects]]. A parser must implement the [[RequestParserInterface]]. To enable parsing for JSON requests you can use the JsonParser class like in the following example: [ 'application/json' => 'yii\web\JsonParser', ] To register a parser for parsing all request types you can use '*' as the array key. This one will be used as a fallback in case no other types match.

Public Methods

Method Description
get ( string $name = null, mixed $defaultValue = null ) : array | mixed Returns GET parameter with a given name. If name isn't specified, returns an array of all GET parameters.
getAbsoluteUrl ( ) : string Returns the currently requested absolute URL.
getAcceptableContentTypes ( ) : array Returns the content types acceptable by the end user.
getAcceptableLanguages ( ) : array Returns the languages acceptable by the end user.
getAuthPassword ( ) : string | null
getAuthUser ( ) : string | null
getBaseUrl ( ) : string Returns the relative URL for the application.
getBodyParam ( string $name, mixed $defaultValue = null ) : mixed Returns the named request body parameter value.
getBodyParams ( ) : array Returns the request parameters given in the request body.
getContentType ( ) : string Returns request content-type The Content-Type header field indicates the MIME type of the data contained in Request::getRawBody or, in the case of the HEAD method, the media type that would have been sent had the request been a GET.
getCookies ( ) : CookieCollection Returns the cookie collection.
getCsrfToken ( boolean $regenerate = false ) : string Returns the token used to perform CSRF validation.
getCsrfTokenFromHeader ( ) : string
getETags ( ) : array Gets the Etags.
getHeaders ( ) : HeaderCollection Returns the header collection.
getHostInfo ( ) : string | null Returns the schema and host part of the current request URL.
getHostName ( ) : string | null Returns the host part of the current request URL.
getIsAjax ( ) : boolean Returns whether this is an AJAX (XMLHttpRequest) request.
getIsDelete ( ) : boolean Returns whether this is a DELETE request.
getIsFlash ( ) : boolean Returns whether this is an Adobe Flash or Flex request.
getIsGet ( ) : boolean Returns whether this is a GET request.
getIsHead ( ) : boolean Returns whether this is a HEAD request.
getIsOptions ( ) : boolean Returns whether this is an OPTIONS request.
getIsPatch ( ) : boolean Returns whether this is a PATCH request.
getIsPjax ( ) : boolean Returns whether this is a PJAX request
getIsPost ( ) : boolean Returns whether this is a POST request.
getIsPut ( ) : boolean Returns whether this is a PUT request.
getIsSecureConnection ( ) : boolean Return if the request is sent via secure channel (https).
getMethod ( ) : string Returns the method of the current request (e.g. GET, POST, HEAD, PUT, PATCH, DELETE).
getPathInfo ( ) : string Returns the path info of the currently requested URL.
getPort ( ) : integer Returns the port to use for insecure requests.
getPreferredLanguage ( array $languages = [] ) : string Returns the user-preferred language that should be used by this application.
getQueryParam ( string $name, mixed $defaultValue = null ) : mixed Returns the named GET parameter value.
getQueryParams ( ) : array Returns the request parameters given in the [[queryString]].
getQueryString ( ) : string Returns part of the request URL that is after the question mark.
getRawBody ( ) : string Returns the raw HTTP request body.
getReferrer ( ) : string | null Returns the URL referrer.
getScriptFile ( ) : string Returns the entry script file path.
getScriptUrl ( ) : string Returns the relative URL of the entry script.
getSecurePort ( ) : integer Returns the port to use for secure requests.
getServerName ( ) : string Returns the server name.
getServerPort ( ) : integer | null Returns the server port number.
getUrl ( ) : string Returns the currently requested relative URL.
getUserAgent ( ) : string | null Returns the user agent.
getUserHost ( ) : string | null Returns the user host name.
getUserIP ( ) : string | null Returns the user IP address.
parseAcceptHeader ( string $header ) : array Parses the given Accept (or Accept-Language) header.
post ( string $name = null, mixed $defaultValue = null ) : array | mixed Returns POST parameter with a given name. If name isn't specified, returns an array of all POST parameters.
resolve ( ) : array Resolves the current request into a route and the associated parameters.
setAcceptableContentTypes ( array $value ) Sets the acceptable content types.
setAcceptableLanguages ( array $value )
setBaseUrl ( string $value ) Sets the relative URL for the application.
setBodyParams ( array $values ) Sets the request body parameters.
setHostInfo ( string | null $value ) Sets the schema and host part of the application URL.
setPathInfo ( string $value ) Sets the path info of the current request.
setPort ( integer $value ) Sets the port to use for insecure requests.
setQueryParams ( array $values ) Sets the request [[queryString]] parameters.
setRawBody ( string $rawBody ) Sets the raw HTTP request body, this method is mainly used by test scripts to simulate raw HTTP requests.
setScriptFile ( string $value ) Sets the entry script file path.
setScriptUrl ( string $value ) Sets the relative URL for the application entry script.
setSecurePort ( integer $value ) Sets the port to use for secure requests.
setUrl ( string $value ) Sets the currently requested relative URL.
validateCsrfToken ( string $token = null ) : boolean Performs the CSRF validation.

Protected Methods

Method Description
createCsrfCookie ( string $token ) : Cookie Creates a cookie with a randomly generated CSRF token.
generateCsrfToken ( ) : string Generates an unmasked random token used to perform CSRF validation.
loadCookies ( ) : array Converts $_COOKIE into an array of Cookie.
loadCsrfToken ( ) : string Loads the CSRF token from cookie or session.
resolvePathInfo ( ) : string Resolves the path info part of the currently requested URL.
resolveRequestUri ( ) : string | boolean Resolves the request URI portion for the currently requested URL.

Private Methods

Method Description
validateCsrfTokenInternal ( string $token, string $trueToken ) : boolean Validates CSRF token
xorTokens ( string $token1, string $token2 ) : string Returns the XOR result of two strings.

Method Details

createCsrfCookie() protected method

Initial values specified in [[csrfCookie]] will be applied to the generated cookie.
See also: enableCsrfValidation
protected createCsrfCookie ( string $token ) : Cookie
$token string the CSRF token
return Cookie the generated cookie

generateCsrfToken() protected method

Generates an unmasked random token used to perform CSRF validation.
protected generateCsrfToken ( ) : string
return string the random token for CSRF validation.

get() public method

Returns GET parameter with a given name. If name isn't specified, returns an array of all GET parameters.
public get ( string $name = null, mixed $defaultValue = null ) : array | mixed
$name string the parameter name
$defaultValue mixed the default parameter value if the parameter does not exist.
return array | mixed

getAbsoluteUrl() public method

This is a shortcut to the concatenation of [[hostInfo]] and [[url]].
public getAbsoluteUrl ( ) : string
return string the currently requested absolute URL.

getAcceptableContentTypes() public method

This is determined by the Accept HTTP header. For example, php $_SERVER['HTTP_ACCEPT'] = 'text/plain; q=0.5, application/json; version=1.0, application/xml; version=2.0;'; $types = $request->getAcceptableContentTypes(); print_r($types); displays: [ 'application/json' => ['q' => 1, 'version' => '1.0'], 'application/xml' => ['q' => 1, 'version' => '2.0'], 'text/plain' => ['q' => 0.5], ]
public getAcceptableContentTypes ( ) : array
return array the content types ordered by the quality score. Types with the highest scores will be returned first. The array keys are the content types, while the array values are the corresponding quality score and other parameters as given in the header.

getAcceptableLanguages() public method

This is determined by the Accept-Language HTTP header.
public getAcceptableLanguages ( ) : array
return array the languages ordered by the preference level. The first element represents the most preferred language.

getAuthPassword() public method

public getAuthPassword ( ) : string | null
return string | null the password sent via HTTP authentication, null if the password is not given

getAuthUser() public method

public getAuthUser ( ) : string | null
return string | null the username sent via HTTP authentication, null if the username is not given

getBaseUrl() public method

This is similar to [[scriptUrl]] except that it does not include the script file name, and the ending slashes are removed.
See also: setScriptUrl()
public getBaseUrl ( ) : string
return string the relative URL for the application

getBodyParam() public method

If the parameter does not exist, the second parameter passed to this method will be returned.
See also: getBodyParams()
See also: setBodyParams()
public getBodyParam ( string $name, mixed $defaultValue = null ) : mixed
$name string the parameter name
$defaultValue mixed the default parameter value if the parameter does not exist.
return mixed the parameter value

getBodyParams() public method

Request parameters are determined using the parsers configured in [[parsers]] property. If no parsers are configured for the current [[contentType]] it uses the PHP function mb_parse_str() to parse the [[rawBody|request body]].
See also: getMethod()
See also: getBodyParam()
See also: setBodyParams()
public getBodyParams ( ) : array
return array the request parameters given in the request body.

getContentType() public method

For the MIME-types the user expects in response, see [[acceptableContentTypes]].
See link: HTTP 1.1 header field definitions
public getContentType ( ) : string
return string request content-type. Null is returned if this information is not available.

getCookies() public method

Through the returned cookie collection, you may access a cookie using the following syntax: php $cookie = $request->cookies['name'] if ($cookie !== null) { $value = $cookie->value; } alternatively $value = $request->cookies->getValue('name');
public getCookies ( ) : CookieCollection
return CookieCollection the cookie collection.

getCsrfToken() public method

This token is generated in a way to prevent BREACH attacks. It may be passed along via a hidden field of an HTML form or an HTTP header value to support CSRF validation.
public getCsrfToken ( boolean $regenerate = false ) : string
$regenerate boolean whether to regenerate CSRF token. When this parameter is true, each time this method is called, a new CSRF token will be generated and persisted (in session or cookie).
return string the token used to perform CSRF validation.

getCsrfTokenFromHeader() public method

public getCsrfTokenFromHeader ( ) : string
return string the CSRF token sent via [[CSRF_HEADER]] by browser. Null is returned if no such header is sent.

getETags() public method

Gets the Etags.
public getETags ( ) : array
return array The entity tags

getHeaders() public method

The header collection contains incoming HTTP headers.
public getHeaders ( ) : HeaderCollection
return HeaderCollection the header collection

getHostInfo() public method

The returned URL does not have an ending slash. By default this value is based on the user request information. This method will return the value of $_SERVER['HTTP_HOST'] if it is available or $_SERVER['SERVER_NAME'] if not. You may want to check out the PHP documentation for more information on these variables. You may explicitly specify it by setting the [[setHostInfo()|hostInfo]] property. > Warning: Dependent on the server configuration this information may not be > reliable and may be faked by the user sending the HTTP request. > If the webserver is configured to serve the same site independent of the value of > the Host header, this value is not reliable. In such situations you should either > fix your webserver configuration or explicitly set the value by setting the [[setHostInfo()|hostInfo]] property. > If you don't have access to the server configuration, you can setup HostControl filter at > application level in order to protect against such kind of attack.
See also: setHostInfo()
public getHostInfo ( ) : string | null
return string | null schema and hostname part (with port number if needed) of the request URL (e.g. `http://www.yiiframework.com`), null if can't be obtained from `$_SERVER` and wasn't set.

getHostName() public method

Value is calculated from current [[getHostInfo()|hostInfo]] property. > Warning: The content of this value may not be reliable, dependent on the server > configuration. Please refer to Request::getHostInfo for more information.
See also: getHostInfo()
Since: 2.0.10
public getHostName ( ) : string | null
return string | null hostname part of the request URL (e.g. `www.yiiframework.com`)

getIsAjax() public method

Note that jQuery doesn't set the header in case of cross domain requests: https://stackoverflow.com/questions/8163703/cross-domain-ajax-doesnt-send-x-requested-with-header
public getIsAjax ( ) : boolean
return boolean whether this is an AJAX (XMLHttpRequest) request.

getIsDelete() public method

Returns whether this is a DELETE request.
public getIsDelete ( ) : boolean
return boolean whether this is a DELETE request.

getIsFlash() public method

Returns whether this is an Adobe Flash or Flex request.
public getIsFlash ( ) : boolean
return boolean whether this is an Adobe Flash or Adobe Flex request.

getIsGet() public method

Returns whether this is a GET request.
public getIsGet ( ) : boolean
return boolean whether this is a GET request.

getIsHead() public method

Returns whether this is a HEAD request.
public getIsHead ( ) : boolean
return boolean whether this is a HEAD request.

getIsOptions() public method

Returns whether this is an OPTIONS request.
public getIsOptions ( ) : boolean
return boolean whether this is a OPTIONS request.

getIsPatch() public method

Returns whether this is a PATCH request.
public getIsPatch ( ) : boolean
return boolean whether this is a PATCH request.

getIsPjax() public method

Returns whether this is a PJAX request
public getIsPjax ( ) : boolean
return boolean whether this is a PJAX request

getIsPost() public method

Returns whether this is a POST request.
public getIsPost ( ) : boolean
return boolean whether this is a POST request.

getIsPut() public method

Returns whether this is a PUT request.
public getIsPut ( ) : boolean
return boolean whether this is a PUT request.

getIsSecureConnection() public method

Return if the request is sent via secure channel (https).
public getIsSecureConnection ( ) : boolean
return boolean if the request is sent via secure channel (https)

getMethod() public method

Returns the method of the current request (e.g. GET, POST, HEAD, PUT, PATCH, DELETE).
public getMethod ( ) : string
return string request method, such as GET, POST, HEAD, PUT, PATCH, DELETE. The value returned is turned into upper case.

getPathInfo() public method

A path info refers to the part that is after the entry script and before the question mark (query string). The starting and ending slashes are both removed.
public getPathInfo ( ) : string
return string part of the request URL that is after the entry script and before the question mark. Note, the returned path info is already URL-decoded.

getPort() public method

Defaults to 80, or the port specified by the server if the current request is insecure.
See also: setPort()
public getPort ( ) : integer
return integer port number for insecure requests.

getPreferredLanguage() public method

The language resolution is based on the user preferred languages and the languages supported by the application. The method will try to find the best match.
public getPreferredLanguage ( array $languages = [] ) : string
$languages array a list of the languages supported by the application. If this is empty, the current application language will be returned without further processing.
return string the language that the application should use.

getQueryParam() public method

If the GET parameter does not exist, the second parameter passed to this method will be returned.
See also: getBodyParam()
public getQueryParam ( string $name, mixed $defaultValue = null ) : mixed
$name string the GET parameter name.
$defaultValue mixed the default parameter value if the GET parameter does not exist.
return mixed the GET parameter value

getQueryParams() public method

This method will return the contents of $_GET if params where not explicitly set.
See also: setQueryParams()
public getQueryParams ( ) : array
return array the request GET parameter values.

getQueryString() public method

Returns part of the request URL that is after the question mark.
public getQueryString ( ) : string
return string part of the request URL that is after the question mark

getRawBody() public method

Returns the raw HTTP request body.
public getRawBody ( ) : string
return string the request body

getReferrer() public method

Returns the URL referrer.
public getReferrer ( ) : string | null
return string | null URL referrer, null if not available

getScriptFile() public method

The default implementation will simply return $_SERVER['SCRIPT_FILENAME'].
public getScriptFile ( ) : string
return string the entry script file path

getScriptUrl() public method

The implementation of this method referenced Zend_Controller_Request_Http in Zend Framework.
public getScriptUrl ( ) : string
return string the relative URL of the entry script.

getSecurePort() public method

Defaults to 443, or the port specified by the server if the current request is secure.
See also: setSecurePort()
public getSecurePort ( ) : integer
return integer port number for secure requests.

getServerName() public method

Returns the server name.
public getServerName ( ) : string
return string server name, null if not available

getServerPort() public method

Returns the server port number.
public getServerPort ( ) : integer | null
return integer | null server port number, null if not available

getUrl() public method

This refers to the portion of the URL that is after the [[hostInfo]] part. It includes the [[queryString]] part if any.
public getUrl ( ) : string
return string the currently requested relative URL. Note that the URI returned is URL-encoded.

getUserAgent() public method

Returns the user agent.
public getUserAgent ( ) : string | null
return string | null user agent, null if not available

getUserHost() public method

Returns the user host name.
public getUserHost ( ) : string | null
return string | null user host name, null if not available

getUserIP() public method

Returns the user IP address.
public getUserIP ( ) : string | null
return string | null user IP address, null if not available

loadCookies() protected method

Converts $_COOKIE into an array of Cookie.
protected loadCookies ( ) : array
return array the cookies obtained from request

loadCsrfToken() protected method

Loads the CSRF token from cookie or session.
protected loadCsrfToken ( ) : string
return string the CSRF token loaded from cookie or session. Null is returned if the cookie or session does not have CSRF token.

parseAcceptHeader() public method

This method will return the acceptable values with their quality scores and the corresponding parameters as specified in the given Accept header. The array keys of the return value are the acceptable values, while the array values consisting of the corresponding quality scores and parameters. The acceptable values with the highest quality scores will be returned first. For example, php $header = 'text/plain; q=0.5, application/json; version=1.0, application/xml; version=2.0;'; $accepts = $request->parseAcceptHeader($header); print_r($accepts); displays: [ 'application/json' => ['q' => 1, 'version' => '1.0'], 'application/xml' => ['q' => 1, 'version' => '2.0'], 'text/plain' => ['q' => 0.5], ]
public parseAcceptHeader ( string $header ) : array
$header string the header to be parsed
return array the acceptable values ordered by their quality score. The values with the highest scores will be returned first.

post() public method

Returns POST parameter with a given name. If name isn't specified, returns an array of all POST parameters.
public post ( string $name = null, mixed $defaultValue = null ) : array | mixed
$name string the parameter name
$defaultValue mixed the default parameter value if the parameter does not exist.
return array | mixed

resolve() public method

Resolves the current request into a route and the associated parameters.
public resolve ( ) : array
return array the first element is the route, and the second is the associated parameters.

resolvePathInfo() protected method

A path info refers to the part that is after the entry script and before the question mark (query string). The starting slashes are both removed (ending slashes will be kept).
protected resolvePathInfo ( ) : string
return string part of the request URL that is after the entry script and before the question mark. Note, the returned path info is decoded.

resolveRequestUri() protected method

This refers to the portion that is after the [[hostInfo]] part. It includes the [[queryString]] part if any. The implementation of this method referenced Zend_Controller_Request_Http in Zend Framework.
protected resolveRequestUri ( ) : string | boolean
return string | boolean the request URI portion for the currently requested URL. Note that the URI returned is URL-encoded.

setAcceptableContentTypes() public method

Please refer to Request::getAcceptableContentTypes on the format of the parameter.
See also: getAcceptableContentTypes()
See also: parseAcceptHeader()
public setAcceptableContentTypes ( array $value )
$value array the content types that are acceptable by the end user. They should be ordered by the preference level.

setAcceptableLanguages() public method

public setAcceptableLanguages ( array $value )
$value array the languages that are acceptable by the end user. They should be ordered by the preference level.

setBaseUrl() public method

By default the URL is determined based on the entry script URL. This setter is provided in case you want to change this behavior.
public setBaseUrl ( string $value )
$value string the relative URL for the application

setBodyParams() public method

Sets the request body parameters.
See also: getBodyParam()
See also: getBodyParams()
public setBodyParams ( array $values )
$values array the request body parameters (name-value pairs)

setHostInfo() public method

This setter is provided in case the schema and hostname cannot be determined on certain Web servers.
See also: getHostInfo() for security related notes on this property.
public setHostInfo ( string | null $value )
$value string | null the schema and host part of the application URL. The trailing slashes will be removed.

setPathInfo() public method

This method is mainly provided for testing purpose.
public setPathInfo ( string $value )
$value string the path info of the current request

setPort() public method

This setter is provided in case a custom port is necessary for certain server configurations.
public setPort ( integer $value )
$value integer port number.

setQueryParams() public method

Sets the request [[queryString]] parameters.
See also: getQueryParam()
See also: getQueryParams()
public setQueryParams ( array $values )
$values array the request query parameters (name-value pairs)

setRawBody() public method

Sets the raw HTTP request body, this method is mainly used by test scripts to simulate raw HTTP requests.
public setRawBody ( string $rawBody )
$rawBody string the request body

setScriptFile() public method

The entry script file path normally can be obtained from $_SERVER['SCRIPT_FILENAME']. If your server configuration does not return the correct value, you may configure this property to make it right.
public setScriptFile ( string $value )
$value string the entry script file path.

setScriptUrl() public method

This setter is provided in case the entry script URL cannot be determined on certain Web servers.
public setScriptUrl ( string $value )
$value string the relative URL for the application entry script.

setSecurePort() public method

This setter is provided in case a custom port is necessary for certain server configurations.
public setSecurePort ( integer $value )
$value integer port number.

setUrl() public method

The URI must refer to the portion that is after [[hostInfo]]. Note that the URI should be URL-encoded.
public setUrl ( string $value )
$value string the request URI to be set

validateCsrfToken() public method

This method will validate the user-provided CSRF token by comparing it with the one stored in cookie or session. This method is mainly called in [[Controller::beforeAction()]]. Note that the method will NOT perform CSRF validation if [[enableCsrfValidation]] is false or the HTTP method is among GET, HEAD or OPTIONS.
public validateCsrfToken ( string $token = null ) : boolean
$token string the user-provided CSRF token to be validated. If null, the token will be retrieved from the [[csrfParam]] POST field or HTTP header. This parameter is available since version 2.0.4.
return boolean whether CSRF token is valid. If [[enableCsrfValidation]] is false, this method will return true.

Property Details

$cookieValidationKey public property

a secret key used for cookie validation. This property must be set if [[enableCookieValidation]] is true.
public $cookieValidationKey

$csrfCookie public property

the configuration for creating the CSRF [[Cookie|cookie]]. This property is used only when both [[enableCsrfValidation]] and [[enableCsrfCookie]] are true.
public $csrfCookie

$csrfParam public property

the name of the token used to prevent CSRF. Defaults to '_csrf'. This property is used only when [[enableCsrfValidation]] is true.
public $csrfParam

$enableCookieValidation public property

whether cookies should be validated to ensure they are not tampered. Defaults to true.
public $enableCookieValidation

$enableCsrfCookie public property

whether to use cookie to persist CSRF token. If false, CSRF token will be stored in session under the name of [[csrfParam]]. Note that while storing CSRF tokens in session increases security, it requires starting a session for every page, which will degrade your site performance.
public $enableCsrfCookie

$enableCsrfValidation public property

whether to enable CSRF (Cross-Site Request Forgery) validation. Defaults to true. When CSRF validation is enabled, forms submitted to an Yii Web application must be originated from the same application. If not, a 400 HTTP exception will be raised. Note, this feature requires that the user client accepts cookie. Also, to use this feature, forms submitted via POST method must contain a hidden input whose name is specified by [[csrfParam]]. You may use [[\yii\helpers\Html::beginForm()]] to generate his hidden input. In JavaScript, you may get the values of [[csrfParam]] and [[csrfToken]] via yii.getCsrfParam() and yii.getCsrfToken(), respectively. The [[\yii\web\YiiAsset]] asset must be registered. You also need to include CSRF meta tags in your pages by using [[\yii\helpers\Html::csrfMetaTags()]].
See also: Controller::enableCsrfValidation
See also: http://en.wikipedia.org/wiki/Cross-site_request_forgery
public $enableCsrfValidation

$methodParam public property

the name of the POST parameter that is used to indicate if a request is a PUT, PATCH or DELETE request tunneled through POST. Defaults to '_method'.
See also: getMethod()
See also: getBodyParams()
public $methodParam

$parsers public property

the parsers for converting the raw HTTP request body into [[bodyParams]]. The array keys are the request Content-Types, and the array values are the corresponding configurations for [[Yii::createObject|creating the parser objects]]. A parser must implement the [[RequestParserInterface]]. To enable parsing for JSON requests you can use the JsonParser class like in the following example: [ 'application/json' => 'yii\web\JsonParser', ] To register a parser for parsing all request types you can use '*' as the array key. This one will be used as a fallback in case no other types match.
See also: getBodyParams()
public $parsers