Yii2: Using csrf token

Yii2: Using csrf token

First, if you do not understand what is the CSRF token? and why should we use it, please refer to the following link :
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

One of the new features of Yii2 is CSRF validation enabled by default.
If you use ajax or basic form as follows :

<form action='#' method='POST'>
...........
</form>

You will get an error exception :

Bad Request (#400): Unable to verify your data submission

That is because you do not submit csrf token. The easiest way if you dont care about csrf just disable it in main config :

'components' => [
'request' => [
....
'enableCsrfValidation'=>false,
],
.....
],

Or in Controller :

public function beforeAction($action) {
$this->enableCsrfValidation = false;
return parent::beforeAction($action);
}

So how to use Csrf Validation for your strong security website:

* With basic form:
– Create form with yiiwidgetsActiveForm or yiibootstrapActiveForm
ActiveForm will automatically add a token in the form

Can use like this

<?php $form = ActiveForm::begin(['id' => 'login-form']); ?>
<?= $form->field($model, 'username') ?>
<?= $form->field($model, 'password')->passwordInput() ?>
....
<?php ActiveForm::end(); ?>

Or

<?php $form = ActiveForm::begin(['id' => 'login-form']); ?>
<input type='text' name='name'/>
.........
<?php ActiveForm::end(); ?>

* With manual form:
you must manually add CSRF token in the form

<form action='#' method='POST'>
<input type="hidden" name="_csrf" value="<?=Yii::$app->request->getCsrfToken()?>" />
....
</form>

* With Ajax
– In main layout add csrfMetaTags :

<head>
.......
<?= Html::csrfMetaTags() ?>
</head>

– And in javascript ajax code add csrf param like this:

var csrfToken = $('meta[name="csrf-token"]').attr("content");
$.ajax({
url: 'request',
type: 'post',
dataType: 'json',
data: {param1: param1, _csrf : csrfToken},
});

source : http://zero-exception.blogspot.com/2015/01/yii2-using-csrf-token.html

Leave a comment

Your email address will not be published. Required fields are marked *