PHP Class yii\web\Request

It encapsulates the $_SERVER variable and resolves its inconsistency among different Web servers. Also it provides an interface to retrieve request parameters from $_POST, $_GET, $_COOKIES and REST parameters sent via other HTTP methods like PUT or DELETE. Request is configured as an application component in Application by default. You can access that instance via Yii::$app->request.
Since: 2.0
Author: Qiang Xue ([email protected])
Inheritance: extends yii\base\Request
Afficher le fichier Open project: yiisoft/yii2 Class Usage Examples

Méthodes publiques

Свойство Type Description
$cookieValidationKey a secret key used for cookie validation. This property must be set if [[enableCookieValidation]] is true.
$csrfCookie the configuration for creating the CSRF [[Cookie|cookie]]. This property is used only when both [[enableCsrfValidation]] and [[enableCsrfCookie]] are true.
$csrfParam the name of the token used to prevent CSRF. Defaults to '_csrf'. This property is used only when [[enableCsrfValidation]] is true.
$enableCookieValidation whether cookies should be validated to ensure they are not tampered. Defaults to true.
$enableCsrfCookie whether to use cookie to persist CSRF token. If false, CSRF token will be stored in session under the name of [[csrfParam]]. Note that while storing CSRF tokens in session increases security, it requires starting a session for every page, which will degrade your site performance.
$enableCsrfValidation whether to enable CSRF (Cross-Site Request Forgery) validation. Defaults to true. When CSRF validation is enabled, forms submitted to an Yii Web application must be originated from the same application. If not, a 400 HTTP exception will be raised. Note, this feature requires that the user client accepts cookie. Also, to use this feature, forms submitted via POST method must contain a hidden input whose name is specified by [[csrfParam]]. You may use [[\yii\helpers\Html::beginForm()]] to generate his hidden input. In JavaScript, you may get the values of [[csrfParam]] and [[csrfToken]] via yii.getCsrfParam() and yii.getCsrfToken(), respectively. The [[\yii\web\YiiAsset]] asset must be registered. You also need to include CSRF meta tags in your pages by using [[\yii\helpers\Html::csrfMetaTags()]].
$methodParam the name of the POST parameter that is used to indicate if a request is a PUT, PATCH or DELETE request tunneled through POST. Defaults to '_method'.
$parsers the parsers for converting the raw HTTP request body into [[bodyParams]]. The array keys are the request Content-Types, and the array values are the corresponding configurations for [[Yii::createObject|creating the parser objects]]. A parser must implement the [[RequestParserInterface]]. To enable parsing for JSON requests you can use the JsonParser class like in the following example: [ 'application/json' => 'yii\web\JsonParser', ] To register a parser for parsing all request types you can use '*' as the array key. This one will be used as a fallback in case no other types match.

Méthodes publiques

Méthode Description
get ( string $name = null, mixed $defaultValue = null ) : array | mixed Returns GET parameter with a given name. If name isn't specified, returns an array of all GET parameters.
getAbsoluteUrl ( ) : string Returns the currently requested absolute URL.
getAcceptableContentTypes ( ) : array Returns the content types acceptable by the end user.
getAcceptableLanguages ( ) : array Returns the languages acceptable by the end user.
getAuthPassword ( ) : string | null
getAuthUser ( ) : string | null
getBaseUrl ( ) : string Returns the relative URL for the application.
getBodyParam ( string $name, mixed $defaultValue = null ) : mixed Returns the named request body parameter value.
getBodyParams ( ) : array Returns the request parameters given in the request body.
getContentType ( ) : string Returns request content-type The Content-Type header field indicates the MIME type of the data contained in Request::getRawBody or, in the case of the HEAD method, the media type that would have been sent had the request been a GET.
getCookies ( ) : CookieCollection Returns the cookie collection.
getCsrfToken ( boolean $regenerate = false ) : string Returns the token used to perform CSRF validation.
getCsrfTokenFromHeader ( ) : string
getETags ( ) : array Gets the Etags.
getHeaders ( ) : HeaderCollection Returns the header collection.
getHostInfo ( ) : string | null Returns the schema and host part of the current request URL.
getHostName ( ) : string | null Returns the host part of the current request URL.
getIsAjax ( ) : boolean Returns whether this is an AJAX (XMLHttpRequest) request.
getIsDelete ( ) : boolean Returns whether this is a DELETE request.
getIsFlash ( ) : boolean Returns whether this is an Adobe Flash or Flex request.
getIsGet ( ) : boolean Returns whether this is a GET request.
getIsHead ( ) : boolean Returns whether this is a HEAD request.
getIsOptions ( ) : boolean Returns whether this is an OPTIONS request.
getIsPatch ( ) : boolean Returns whether this is a PATCH request.
getIsPjax ( ) : boolean Returns whether this is a PJAX request
getIsPost ( ) : boolean Returns whether this is a POST request.
getIsPut ( ) : boolean Returns whether this is a PUT request.
getIsSecureConnection ( ) : boolean Return if the request is sent via secure channel (https).
getMethod ( ) : string Returns the method of the current request (e.g. GET, POST, HEAD, PUT, PATCH, DELETE).
getPathInfo ( ) : string Returns the path info of the currently requested URL.
getPort ( ) : integer Returns the port to use for insecure requests.
getPreferredLanguage ( array $languages = [] ) : string Returns the user-preferred language that should be used by this application.
getQueryParam ( string $name, mixed $defaultValue = null ) : mixed Returns the named GET parameter value.
getQueryParams ( ) : array Returns the request parameters given in the [[queryString]].
getQueryString ( ) : string Returns part of the request URL that is after the question mark.
getRawBody ( ) : string Returns the raw HTTP request body.
getReferrer ( ) : string | null Returns the URL referrer.
getScriptFile ( ) : string Returns the entry script file path.
getScriptUrl ( ) : string Returns the relative URL of the entry script.
getSecurePort ( ) : integer Returns the port to use for secure requests.
getServerName ( ) : string Returns the server name.
getServerPort ( ) : integer | null Returns the server port number.
getUrl ( ) : string Returns the currently requested relative URL.
getUserAgent ( ) : string | null Returns the user agent.
getUserHost ( ) : string | null Returns the user host name.
getUserIP ( ) : string | null Returns the user IP address.
parseAcceptHeader ( string $header ) : array Parses the given Accept (or Accept-Language) header.
post ( string $name = null, mixed $defaultValue = null ) : array | mixed Returns POST parameter with a given name. If name isn't specified, returns an array of all POST parameters.
resolve ( ) : array Resolves the current request into a route and the associated parameters.
setAcceptableContentTypes ( array $value ) Sets the acceptable content types.
setAcceptableLanguages ( array $value )
setBaseUrl ( string $value ) Sets the relative URL for the application.
setBodyParams ( array $values ) Sets the request body parameters.
setHostInfo ( string | null $value ) Sets the schema and host part of the application URL.
setPathInfo ( string $value ) Sets the path info of the current request.
setPort ( integer $value ) Sets the port to use for insecure requests.
setQueryParams ( array $values ) Sets the request [[queryString]] parameters.
setRawBody ( string $rawBody ) Sets the raw HTTP request body, this method is mainly used by test scripts to simulate raw HTTP requests.
setScriptFile ( string $value ) Sets the entry script file path.
setScriptUrl ( string $value ) Sets the relative URL for the application entry script.
setSecurePort ( integer $value ) Sets the port to use for secure requests.
setUrl ( string $value ) Sets the currently requested relative URL.
validateCsrfToken ( string $token = null ) : boolean Performs the CSRF validation.

Méthodes protégées

Méthode Description
createCsrfCookie ( string $token ) : Cookie Creates a cookie with a randomly generated CSRF token.
generateCsrfToken ( ) : string Generates an unmasked random token used to perform CSRF validation.
loadCookies ( ) : array Converts $_COOKIE into an array of Cookie.
loadCsrfToken ( ) : string Loads the CSRF token from cookie or session.
resolvePathInfo ( ) : string Resolves the path info part of the currently requested URL.
resolveRequestUri ( ) : string | boolean Resolves the request URI portion for the currently requested URL.

Private Methods

Méthode Description
validateCsrfTokenInternal ( string $token, string $trueToken ) : boolean Validates CSRF token
xorTokens ( string $token1, string $token2 ) : string Returns the XOR result of two strings.

Method Details

createCsrfCookie() protected méthode

Initial values specified in [[csrfCookie]] will be applied to the generated cookie.
See also: enableCsrfValidation
protected createCsrfCookie ( string $token ) : Cookie
$token string the CSRF token
Résultat Cookie the generated cookie

generateCsrfToken() protected méthode

Generates an unmasked random token used to perform CSRF validation.
protected generateCsrfToken ( ) : string
Résultat string the random token for CSRF validation.

get() public méthode

Returns GET parameter with a given name. If name isn't specified, returns an array of all GET parameters.
public get ( string $name = null, mixed $defaultValue = null ) : array | mixed
$name string the parameter name
$defaultValue mixed the default parameter value if the parameter does not exist.
Résultat array | mixed

getAbsoluteUrl() public méthode

This is a shortcut to the concatenation of [[hostInfo]] and [[url]].
public getAbsoluteUrl ( ) : string
Résultat string the currently requested absolute URL.

getAcceptableContentTypes() public méthode

This is determined by the Accept HTTP header. For example, php $_SERVER['HTTP_ACCEPT'] = 'text/plain; q=0.5, application/json; version=1.0, application/xml; version=2.0;'; $types = $request->getAcceptableContentTypes(); print_r($types); displays: [ 'application/json' => ['q' => 1, 'version' => '1.0'], 'application/xml' => ['q' => 1, 'version' => '2.0'], 'text/plain' => ['q' => 0.5], ]
public getAcceptableContentTypes ( ) : array
Résultat array the content types ordered by the quality score. Types with the highest scores will be returned first. The array keys are the content types, while the array values are the corresponding quality score and other parameters as given in the header.

getAcceptableLanguages() public méthode

This is determined by the Accept-Language HTTP header.
public getAcceptableLanguages ( ) : array
Résultat array the languages ordered by the preference level. The first element represents the most preferred language.

getAuthPassword() public méthode

public getAuthPassword ( ) : string | null
Résultat string | null the password sent via HTTP authentication, null if the password is not given

getAuthUser() public méthode

public getAuthUser ( ) : string | null
Résultat string | null the username sent via HTTP authentication, null if the username is not given

getBaseUrl() public méthode

This is similar to [[scriptUrl]] except that it does not include the script file name, and the ending slashes are removed.
See also: setScriptUrl()
public getBaseUrl ( ) : string
Résultat string the relative URL for the application

getBodyParam() public méthode

If the parameter does not exist, the second parameter passed to this method will be returned.
See also: getBodyParams()
See also: setBodyParams()
public getBodyParam ( string $name, mixed $defaultValue = null ) : mixed
$name string the parameter name
$defaultValue mixed the default parameter value if the parameter does not exist.
Résultat mixed the parameter value

getBodyParams() public méthode

Request parameters are determined using the parsers configured in [[parsers]] property. If no parsers are configured for the current [[contentType]] it uses the PHP function mb_parse_str() to parse the [[rawBody|request body]].
See also: getMethod()
See also: getBodyParam()
See also: setBodyParams()
public getBodyParams ( ) : array
Résultat array the request parameters given in the request body.

getContentType() public méthode

For the MIME-types the user expects in response, see [[acceptableContentTypes]].
See link: HTTP 1.1 header field definitions
public getContentType ( ) : string
Résultat string request content-type. Null is returned if this information is not available.

getCookies() public méthode

Through the returned cookie collection, you may access a cookie using the following syntax: php $cookie = $request->cookies['name'] if ($cookie !== null) { $value = $cookie->value; } alternatively $value = $request->cookies->getValue('name');
public getCookies ( ) : CookieCollection
Résultat CookieCollection the cookie collection.

getCsrfToken() public méthode

This token is generated in a way to prevent BREACH attacks. It may be passed along via a hidden field of an HTML form or an HTTP header value to support CSRF validation.
public getCsrfToken ( boolean $regenerate = false ) : string
$regenerate boolean whether to regenerate CSRF token. When this parameter is true, each time this method is called, a new CSRF token will be generated and persisted (in session or cookie).
Résultat string the token used to perform CSRF validation.

getCsrfTokenFromHeader() public méthode

public getCsrfTokenFromHeader ( ) : string
Résultat string the CSRF token sent via [[CSRF_HEADER]] by browser. Null is returned if no such header is sent.

getETags() public méthode

Gets the Etags.
public getETags ( ) : array
Résultat array The entity tags

getHeaders() public méthode

The header collection contains incoming HTTP headers.
public getHeaders ( ) : HeaderCollection
Résultat HeaderCollection the header collection

getHostInfo() public méthode

The returned URL does not have an ending slash. By default this value is based on the user request information. This method will return the value of $_SERVER['HTTP_HOST'] if it is available or $_SERVER['SERVER_NAME'] if not. You may want to check out the PHP documentation for more information on these variables. You may explicitly specify it by setting the [[setHostInfo()|hostInfo]] property. > Warning: Dependent on the server configuration this information may not be > reliable and may be faked by the user sending the HTTP request. > If the webserver is configured to serve the same site independent of the value of > the Host header, this value is not reliable. In such situations you should either > fix your webserver configuration or explicitly set the value by setting the [[setHostInfo()|hostInfo]] property. > If you don't have access to the server configuration, you can setup HostControl filter at > application level in order to protect against such kind of attack.
See also: setHostInfo()
public getHostInfo ( ) : string | null
Résultat string | null schema and hostname part (with port number if needed) of the request URL (e.g. `http://www.yiiframework.com`), null if can't be obtained from `$_SERVER` and wasn't set.

getHostName() public méthode

Value is calculated from current [[getHostInfo()|hostInfo]] property. > Warning: The content of this value may not be reliable, dependent on the server > configuration. Please refer to Request::getHostInfo for more information.
See also: getHostInfo()
Since: 2.0.10
public getHostName ( ) : string | null
Résultat string | null hostname part of the request URL (e.g. `www.yiiframework.com`)

getIsAjax() public méthode

Note that jQuery doesn't set the header in case of cross domain requests: https://stackoverflow.com/questions/8163703/cross-domain-ajax-doesnt-send-x-requested-with-header
public getIsAjax ( ) : boolean
Résultat boolean whether this is an AJAX (XMLHttpRequest) request.

getIsDelete() public méthode

Returns whether this is a DELETE request.
public getIsDelete ( ) : boolean
Résultat boolean whether this is a DELETE request.

getIsFlash() public méthode

Returns whether this is an Adobe Flash or Flex request.
public getIsFlash ( ) : boolean
Résultat boolean whether this is an Adobe Flash or Adobe Flex request.

getIsGet() public méthode

Returns whether this is a GET request.
public getIsGet ( ) : boolean
Résultat boolean whether this is a GET request.

getIsHead() public méthode

Returns whether this is a HEAD request.
public getIsHead ( ) : boolean
Résultat boolean whether this is a HEAD request.

getIsOptions() public méthode

Returns whether this is an OPTIONS request.
public getIsOptions ( ) : boolean
Résultat boolean whether this is a OPTIONS request.

getIsPatch() public méthode

Returns whether this is a PATCH request.
public getIsPatch ( ) : boolean
Résultat boolean whether this is a PATCH request.

getIsPjax() public méthode

Returns whether this is a PJAX request
public getIsPjax ( ) : boolean
Résultat boolean whether this is a PJAX request

getIsPost() public méthode

Returns whether this is a POST request.
public getIsPost ( ) : boolean
Résultat boolean whether this is a POST request.

getIsPut() public méthode

Returns whether this is a PUT request.
public getIsPut ( ) : boolean
Résultat boolean whether this is a PUT request.

getIsSecureConnection() public méthode

Return if the request is sent via secure channel (https).
public getIsSecureConnection ( ) : boolean
Résultat boolean if the request is sent via secure channel (https)

getMethod() public méthode

Returns the method of the current request (e.g. GET, POST, HEAD, PUT, PATCH, DELETE).
public getMethod ( ) : string
Résultat string request method, such as GET, POST, HEAD, PUT, PATCH, DELETE. The value returned is turned into upper case.

getPathInfo() public méthode

A path info refers to the part that is after the entry script and before the question mark (query string). The starting and ending slashes are both removed.
public getPathInfo ( ) : string
Résultat string part of the request URL that is after the entry script and before the question mark. Note, the returned path info is already URL-decoded.

getPort() public méthode

Defaults to 80, or the port specified by the server if the current request is insecure.
See also: setPort()
public getPort ( ) : integer
Résultat integer port number for insecure requests.

getPreferredLanguage() public méthode

The language resolution is based on the user preferred languages and the languages supported by the application. The method will try to find the best match.
public getPreferredLanguage ( array $languages = [] ) : string
$languages array a list of the languages supported by the application. If this is empty, the current application language will be returned without further processing.
Résultat string the language that the application should use.

getQueryParam() public méthode

If the GET parameter does not exist, the second parameter passed to this method will be returned.
See also: getBodyParam()
public getQueryParam ( string $name, mixed $defaultValue = null ) : mixed
$name string the GET parameter name.
$defaultValue mixed the default parameter value if the GET parameter does not exist.
Résultat mixed the GET parameter value

getQueryParams() public méthode

This method will return the contents of $_GET if params where not explicitly set.
See also: setQueryParams()
public getQueryParams ( ) : array
Résultat array the request GET parameter values.

getQueryString() public méthode

Returns part of the request URL that is after the question mark.
public getQueryString ( ) : string
Résultat string part of the request URL that is after the question mark

getRawBody() public méthode

Returns the raw HTTP request body.
public getRawBody ( ) : string
Résultat string the request body

getReferrer() public méthode

Returns the URL referrer.
public getReferrer ( ) : string | null
Résultat string | null URL referrer, null if not available

getScriptFile() public méthode

The default implementation will simply return $_SERVER['SCRIPT_FILENAME'].
public getScriptFile ( ) : string
Résultat string the entry script file path

getScriptUrl() public méthode

The implementation of this method referenced Zend_Controller_Request_Http in Zend Framework.
public getScriptUrl ( ) : string
Résultat string the relative URL of the entry script.

getSecurePort() public méthode

Defaults to 443, or the port specified by the server if the current request is secure.
See also: setSecurePort()
public getSecurePort ( ) : integer
Résultat integer port number for secure requests.

getServerName() public méthode

Returns the server name.
public getServerName ( ) : string
Résultat string server name, null if not available

getServerPort() public méthode

Returns the server port number.
public getServerPort ( ) : integer | null
Résultat integer | null server port number, null if not available

getUrl() public méthode

This refers to the portion of the URL that is after the [[hostInfo]] part. It includes the [[queryString]] part if any.
public getUrl ( ) : string
Résultat string the currently requested relative URL. Note that the URI returned is URL-encoded.

getUserAgent() public méthode

Returns the user agent.
public getUserAgent ( ) : string | null
Résultat string | null user agent, null if not available

getUserHost() public méthode

Returns the user host name.
public getUserHost ( ) : string | null
Résultat string | null user host name, null if not available

getUserIP() public méthode

Returns the user IP address.
public getUserIP ( ) : string | null
Résultat string | null user IP address, null if not available

loadCookies() protected méthode

Converts $_COOKIE into an array of Cookie.
protected loadCookies ( ) : array
Résultat array the cookies obtained from request

loadCsrfToken() protected méthode

Loads the CSRF token from cookie or session.
protected loadCsrfToken ( ) : string
Résultat string the CSRF token loaded from cookie or session. Null is returned if the cookie or session does not have CSRF token.

parseAcceptHeader() public méthode

This method will return the acceptable values with their quality scores and the corresponding parameters as specified in the given Accept header. The array keys of the return value are the acceptable values, while the array values consisting of the corresponding quality scores and parameters. The acceptable values with the highest quality scores will be returned first. For example, php $header = 'text/plain; q=0.5, application/json; version=1.0, application/xml; version=2.0;'; $accepts = $request->parseAcceptHeader($header); print_r($accepts); displays: [ 'application/json' => ['q' => 1, 'version' => '1.0'], 'application/xml' => ['q' => 1, 'version' => '2.0'], 'text/plain' => ['q' => 0.5], ]
public parseAcceptHeader ( string $header ) : array
$header string the header to be parsed
Résultat array the acceptable values ordered by their quality score. The values with the highest scores will be returned first.

post() public méthode

Returns POST parameter with a given name. If name isn't specified, returns an array of all POST parameters.
public post ( string $name = null, mixed $defaultValue = null ) : array | mixed
$name string the parameter name
$defaultValue mixed the default parameter value if the parameter does not exist.
Résultat array | mixed

resolve() public méthode

Resolves the current request into a route and the associated parameters.
public resolve ( ) : array
Résultat array the first element is the route, and the second is the associated parameters.

resolvePathInfo() protected méthode

A path info refers to the part that is after the entry script and before the question mark (query string). The starting slashes are both removed (ending slashes will be kept).
protected resolvePathInfo ( ) : string
Résultat string part of the request URL that is after the entry script and before the question mark. Note, the returned path info is decoded.

resolveRequestUri() protected méthode

This refers to the portion that is after the [[hostInfo]] part. It includes the [[queryString]] part if any. The implementation of this method referenced Zend_Controller_Request_Http in Zend Framework.
protected resolveRequestUri ( ) : string | boolean
Résultat string | boolean the request URI portion for the currently requested URL. Note that the URI returned is URL-encoded.

setAcceptableContentTypes() public méthode

Please refer to Request::getAcceptableContentTypes on the format of the parameter.
See also: getAcceptableContentTypes()
See also: parseAcceptHeader()
public setAcceptableContentTypes ( array $value )
$value array the content types that are acceptable by the end user. They should be ordered by the preference level.

setAcceptableLanguages() public méthode

public setAcceptableLanguages ( array $value )
$value array the languages that are acceptable by the end user. They should be ordered by the preference level.

setBaseUrl() public méthode

By default the URL is determined based on the entry script URL. This setter is provided in case you want to change this behavior.
public setBaseUrl ( string $value )
$value string the relative URL for the application

setBodyParams() public méthode

Sets the request body parameters.
See also: getBodyParam()
See also: getBodyParams()
public setBodyParams ( array $values )
$values array the request body parameters (name-value pairs)

setHostInfo() public méthode

This setter is provided in case the schema and hostname cannot be determined on certain Web servers.
See also: getHostInfo() for security related notes on this property.
public setHostInfo ( string | null $value )
$value string | null the schema and host part of the application URL. The trailing slashes will be removed.

setPathInfo() public méthode

This method is mainly provided for testing purpose.
public setPathInfo ( string $value )
$value string the path info of the current request

setPort() public méthode

This setter is provided in case a custom port is necessary for certain server configurations.
public setPort ( integer $value )
$value integer port number.

setQueryParams() public méthode

Sets the request [[queryString]] parameters.
See also: getQueryParam()
See also: getQueryParams()
public setQueryParams ( array $values )
$values array the request query parameters (name-value pairs)

setRawBody() public méthode

Sets the raw HTTP request body, this method is mainly used by test scripts to simulate raw HTTP requests.
public setRawBody ( string $rawBody )
$rawBody string the request body

setScriptFile() public méthode

The entry script file path normally can be obtained from $_SERVER['SCRIPT_FILENAME']. If your server configuration does not return the correct value, you may configure this property to make it right.
public setScriptFile ( string $value )
$value string the entry script file path.

setScriptUrl() public méthode

This setter is provided in case the entry script URL cannot be determined on certain Web servers.
public setScriptUrl ( string $value )
$value string the relative URL for the application entry script.

setSecurePort() public méthode

This setter is provided in case a custom port is necessary for certain server configurations.
public setSecurePort ( integer $value )
$value integer port number.

setUrl() public méthode

The URI must refer to the portion that is after [[hostInfo]]. Note that the URI should be URL-encoded.
public setUrl ( string $value )
$value string the request URI to be set

validateCsrfToken() public méthode

This method will validate the user-provided CSRF token by comparing it with the one stored in cookie or session. This method is mainly called in [[Controller::beforeAction()]]. Note that the method will NOT perform CSRF validation if [[enableCsrfValidation]] is false or the HTTP method is among GET, HEAD or OPTIONS.
public validateCsrfToken ( string $token = null ) : boolean
$token string the user-provided CSRF token to be validated. If null, the token will be retrieved from the [[csrfParam]] POST field or HTTP header. This parameter is available since version 2.0.4.
Résultat boolean whether CSRF token is valid. If [[enableCsrfValidation]] is false, this method will return true.

Property Details

$cookieValidationKey public_oe property

a secret key used for cookie validation. This property must be set if [[enableCookieValidation]] is true.
public $cookieValidationKey

$csrfCookie public_oe property

the configuration for creating the CSRF [[Cookie|cookie]]. This property is used only when both [[enableCsrfValidation]] and [[enableCsrfCookie]] are true.
public $csrfCookie

$csrfParam public_oe property

the name of the token used to prevent CSRF. Defaults to '_csrf'. This property is used only when [[enableCsrfValidation]] is true.
public $csrfParam

$enableCookieValidation public_oe property

whether cookies should be validated to ensure they are not tampered. Defaults to true.
public $enableCookieValidation

$enableCsrfCookie public_oe property

whether to use cookie to persist CSRF token. If false, CSRF token will be stored in session under the name of [[csrfParam]]. Note that while storing CSRF tokens in session increases security, it requires starting a session for every page, which will degrade your site performance.
public $enableCsrfCookie

$enableCsrfValidation public_oe property

whether to enable CSRF (Cross-Site Request Forgery) validation. Defaults to true. When CSRF validation is enabled, forms submitted to an Yii Web application must be originated from the same application. If not, a 400 HTTP exception will be raised. Note, this feature requires that the user client accepts cookie. Also, to use this feature, forms submitted via POST method must contain a hidden input whose name is specified by [[csrfParam]]. You may use [[\yii\helpers\Html::beginForm()]] to generate his hidden input. In JavaScript, you may get the values of [[csrfParam]] and [[csrfToken]] via yii.getCsrfParam() and yii.getCsrfToken(), respectively. The [[\yii\web\YiiAsset]] asset must be registered. You also need to include CSRF meta tags in your pages by using [[\yii\helpers\Html::csrfMetaTags()]].
See also: Controller::enableCsrfValidation
See also: http://en.wikipedia.org/wiki/Cross-site_request_forgery
public $enableCsrfValidation

$methodParam public_oe property

the name of the POST parameter that is used to indicate if a request is a PUT, PATCH or DELETE request tunneled through POST. Defaults to '_method'.
See also: getMethod()
See also: getBodyParams()
public $methodParam

$parsers public_oe property

the parsers for converting the raw HTTP request body into [[bodyParams]]. The array keys are the request Content-Types, and the array values are the corresponding configurations for [[Yii::createObject|creating the parser objects]]. A parser must implement the [[RequestParserInterface]]. To enable parsing for JSON requests you can use the JsonParser class like in the following example: [ 'application/json' => 'yii\web\JsonParser', ] To register a parser for parsing all request types you can use '*' as the array key. This one will be used as a fallback in case no other types match.
See also: getBodyParams()
public $parsers