Class CsrfComponent
Provides CSRF protection & validation.
This component adds a CSRF token to a cookie. The cookie value is compared to request data, or the X-CSRF-Token header on each PATCH, POST, PUT, or DELETE request.
If the request data is missing or does not match the cookie data, an InvalidCsrfTokenException will be raised.
This component integrates with the FormHelper automatically and when
used together your forms will have CSRF tokens automatically added
when $this->Form->create(...) is used in a view.
- Cake\Controller\Component implements Cake\Event\EventListenerInterface uses Cake\Core\InstanceConfigTrait , Cake\Log\LogTrait
-
Cake\Controller\Component\CsrfComponent
Deprecated: 3.5.0 Use Cake\Http\Middleware\CsrfProtectionMiddleware instead.
Location: Controller/Component/CsrfComponent.php
Properties summary
-
$_defaultConfigprotectedarrayDefault config for the CSRF handling.
Inherited Properties
Method Summary
-
_setCookie() protected deprecated
Set the cookie in the response. -
_validateToken() protected deprecated
Validate the request data against the cookie token. -
implementedEvents() public deprecated
Events supported by this component. -
initialize() public deprecated
Warn if CsrfComponent is used together with CsrfProtectionMiddleware -
startup() public deprecated
Startup callback.
Method Detail
_setCookie() protected deprecated ¶
_setCookie( Cake\Http\ServerRequest $request , Cake\Http\Response $response )
Set the cookie in the response.
Also sets the request->params['_csrfToken'] so the newly minted token is available in the request data.
Parameters
-
Cake\Http\ServerRequest$request - The request object.
-
Cake\Http\Response$response - The response object.
Returns
An array of the modified request, response.
_validateToken() protected deprecated ¶
_validateToken( Cake\Http\ServerRequest $request )
Validate the request data against the cookie token.
Parameters
-
Cake\Http\ServerRequest$request - The request to validate against.
Throws
implementedEvents() public deprecated ¶
implementedEvents( )
Events supported by this component.
Returns
Overrides
initialize() public deprecated ¶
initialize( array $config )
Warn if CsrfComponent is used together with CsrfProtectionMiddleware
Parameters
- array $config
- The config data.
Overrides
startup() public deprecated ¶
startup( Cake\Event\Event $event )
Startup callback.
Validates the CSRF token for POST data. If the request is a GET request, and the cookie value is absent a cookie will be set.
Once a cookie is set it will be copied into request->getParam('_csrfToken') so that application and framework code can easily access the csrf token.
RequestAction requests do not get checked, nor will they set a cookie should it be missing.
Parameters
-
Cake\Event\Event$event - Event instance.
Methods inherited from Cake\Controller\Component
__construct() public ¶
__construct( Cake\Controller\ComponentRegistry $registry , array $config = [] )
Constructor
Parameters
-
Cake\Controller\ComponentRegistry$registry - A ComponentRegistry this component can use to lazy load its components
- array $config optional []
- Array of configuration settings.
__debugInfo() public ¶
__debugInfo( )
Returns an array that can be used to describe the internal state of this object.
Returns
__get() public ¶
__get( string $name )
Magic method for lazy loading $components.
Parameters
- string $name
- Name of component to get.
Returns
Methods used from Cake\Core\InstanceConfigTrait
_configDelete() protected ¶
_configDelete( string $key )
Deletes a single config key.
Parameters
- string $key
- Key to delete.
Throws
_configRead() protected ¶
_configRead( string|null $key )
Reads a config key.
Parameters
- string|null $key
- Key to read.
Returns
_configWrite() protected ¶
_configWrite( string|array $key , mixed $value , boolean|string $merge = false )
Writes a config key.
Parameters
- string|array $key
- Key to write to.
- mixed $value
- Value to write.
- boolean|string $merge optional false
True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.
Throws
config() public deprecated ¶
config( string|array|null $key = null , mixed|null $value = null , boolean $merge = true )
Gets/Sets the config.
Usage
Reading the whole config:
$this->config();
Reading a specific value:
$this->config('key');
Reading a nested value:
$this->config('some.nested.key');
Setting a specific value:
$this->config('key', $value);
Setting a nested value:
$this->config('some.nested.key', $value);
Updating multiple config settings at the same time:
$this->config(['one' => 'value', 'another' => 'value']);
Parameters
- string|array|null $key optional null
- The key to get/set, or a complete array of configs.
- mixed|null $value optional null
- The value to set.
- boolean $merge optional true
- Whether to recursively merge or overwrite existing config, defaults to true.
Returns
Config value being read, or the object itself on write operations.
Throws
configShallow() public ¶
configShallow( string|array $key , mixed|null $value = null )
Merge provided config with existing config. Unlike config() which does
a recursive merge for nested keys, this method does a simple merge.
Setting a specific value:
$this->configShallow('key', $value);
Setting a nested value:
$this->configShallow('some.nested.key', $value);
Updating multiple config settings at the same time:
$this->configShallow(['one' => 'value', 'another' => 'value']);
Parameters
- string|array $key
- The key to set, or a complete array of configs.
- mixed|null $value optional null
- The value to set.
Returns
$this
getConfig() public ¶
getConfig( string|null $key = null , mixed $default = null )
Returns the config.
Usage
Reading the whole config:
$this->getConfig();
Reading a specific value:
$this->getConfig('key');
Reading a nested value:
$this->getConfig('some.nested.key');
Reading with default value:
$this->getConfig('some-key', 'default-value');
Parameters
- string|null $key optional null
- The key to get or null for the whole config.
- mixed $default optional null
- The return value when the key does not exist.
Returns
Configuration data at the named key or null if the key does not exist.
setConfig() public ¶
setConfig( string|array $key , mixed|null $value = null , boolean $merge = true )
Sets the config.
Usage
Setting a specific value:
$this->setConfig('key', $value);
Setting a nested value:
$this->setConfig('some.nested.key', $value);
Updating multiple config settings at the same time:
$this->setConfig(['one' => 'value', 'another' => 'value']);
Parameters
- string|array $key
- The key to set, or a complete array of configs.
- mixed|null $value optional null
- The value to set.
- boolean $merge optional true
- Whether to recursively merge or overwrite existing config, defaults to true.
Returns
$this
Throws
Methods used from Cake\Log\LogTrait
log() public ¶
log( mixed $msg , integer|string $level = LogLevel::ERROR , string|array $context = [] )
Convenience method to write a message to Log. See Log::write() for more information on writing to logs.
Parameters
- mixed $msg
- Log message.
- integer|string $level optional LogLevel::ERROR
- Error level.
- string|array $context optional []
- Additional log data relevant to this message.
Returns
Success of log write.
Properties detail
$_defaultConfig ¶
Default config for the CSRF handling.
- cookieName = The name of the cookie to send.
- expiry = How long the CSRF token should last. Defaults to browser session.
- secure = Whether or not the cookie will be set with the Secure flag. Defaults to false.
- httpOnly = Whether or not the cookie will be set with the HttpOnly flag. Defaults to false.
- field = The form field to check. Changing this will also require configuring FormHelper.
[
'cookieName' => 'csrfToken',
'expiry' => 0,
'secure' => false,
'httpOnly' => false,
'field' => '_csrfToken',
]