PHP Class Cake\Controller\Component\CsrfComponent
This component adds a CSRF token to a cookie. The cookie value is compared to
request data, or the X-CSRF-Token header on each PATCH, POST,
PUT, or DELETE request.
If the request data is missing or does not match the cookie data,
a ForbiddenException will be raised.
This component integrates with the FormHelper automatically and when
used together your forms will have CSRF tokens automatically added
when
$this->Form->create(...) is used in a view.
Mostra file
Open project: cakephp/cakephp
Class Usage Examples
Protected Properties
Property |
Type |
Description |
|
$_defaultConfig |
array |
- cookieName = The name of the cookie to send.
- expiry = How long the CSRF token should last. Defaults to browser session.
- secure = Whether or not the cookie will be set with the Secure flag. Defaults to false.
- httpOnly = Whether or not the cookie will be set with the HttpOnly flag. Defaults to false.
- field = The form field to check. Changing this will also require configuring
FormHelper. |
|
Public Methods
Protected Methods
Method |
Description |
|
_setCookie ( Cake\Network\Request $request, Response $response ) : void |
Set the cookie in the response. |
|
_validateToken ( Cake\Network\Request $request ) : void |
Validate the request data against the cookie token. |
|
Method Details
_setCookie()
protected method
Also sets the request->params['_csrfToken'] so the newly minted
token is available in the request data.
protected _setCookie ( Cake\Network\Request $request, Response $response ) : void |
$request |
Cake\Network\Request |
The request object. |
$response |
Cake\Network\Response |
The response object. |
return |
void |
|
_validateToken()
protected method
Validate the request data against the cookie token.
protected _validateToken ( Cake\Network\Request $request ) : void |
$request |
Cake\Network\Request |
The request to validate against. |
return |
void |
|
implementedEvents()
public method
Events supported by this component.
Validates the CSRF token for POST data. If
the request is a GET request, and the cookie value is absent a cookie will be set.
Once a cookie is set it will be copied into request->params['_csrfToken']
so that application and framework code can easily access the csrf token.
RequestAction requests do not get checked, nor will
they set a cookie should it be missing.
public startup ( Cake\Event\Event $event ) : void |
$event |
Cake\Event\Event |
Event instance. |
return |
void |
|
Property Details
$_defaultConfig protected_oe property
- cookieName = The name of the cookie to send.
- expiry = How long the CSRF token should last. Defaults to browser session.
- secure = Whether or not the cookie will be set with the Secure flag. Defaults to false.
- httpOnly = Whether or not the cookie will be set with the HttpOnly flag. Defaults to false.
- field = The form field to check. Changing this will also require configuring
FormHelper.
protected array $_defaultConfig |
return |
array |
|