Detailed explanation of the local switch of yii2 csrf

This article mainly introduces the example code for partially closing (opening) CSRF verification in yii2. The editor thinks it’s pretty good, so I’d like to share it with you now and give it as a reference. I hope to be helpful.

(1) For global use, we directly set enableCookieValidation to true in the configuration file

request => [ 
  'enableCookieValidation' => true, 
]

If you do not need to use csrf, set 'enableCookieValidation' => false , but this is unsafe, so enableCookieValidation in yii\web\request of yii2 is set to true by default, which means csrf is enabled by default, so we can also not configure this value and enable it by default.

If you enable csrf, because it is global, authentication will be required for any post request, so when we post data, we must set the csrf data to be hidden in the form.

<input type="hidden" name="_csrf" id=&#39;csrf&#39; value="<?= Yii::$app->request->csrfToken ?>">

When posting data, you must post this value. The value generated is 83e0b9f8cdad4f031f9e4efdaa38d325request->csrfToken ?>, and an encrypted csrfToken is returned. .

So whether it is a post form or an ajax post, the value of csrfToken must be set, and it must be posted when submitting. If not, an error will occur and authentication will not pass.

(2) If you don’t want to use csrf verification in some controllers, what should you do?

The method is very simple, set it directly

public $enableCsrfValidation = false ,

Because this Controller inherits from yii\web\Controller, it will be equivalent to inheriting from the enableCsrfValidation attribute, then create the controller When the instance is used, the CSRF function will be turned off in this controller, and verification will not be performed when accessing the post of this controller.

For example, when we develop the API, when the WeChat interface needs to post data to our interface, since the WeChat side does not know the csrfToken, when accessing the post data, if it is turned on If it is a global csrf, it will definitely not be accessible successfully. So at this time, you need to turn off the csrf of this API.

3) What if you want to specifically close a certain action?

Sometimes in some functions, we need to turn off csrf verification in a certain action. We know that the verification of csrf is implemented in beforeAction($Action). Next, we can rewrite the beforeAction($action) method in the Controller.

public function beforeAction($action) { 
 
  $currentaction = $action->id; 
 
  $novalidactions = ['dologin']; 
 
  if(in_array($currentaction,$novalidactions)) { 
 
    $action->controller->enableCsrfValidation = false; 
  } 
  parent::beforeAction($action); 
 
  return true; 
}

The parameter $action passed in is the controller for this access. The instantiated object contains a lot of information, which you can print and see.

First execute $action->id to obtain the current accessed action name. And $novalidactions is an array, which contains the action names. These actions are all operations that you need to turn off CSRF authentication (operations that need to turn off CSRF authentication).

Whether the action currently accessed is in this $novalidactions. If it is, it means that this action needs to turn off the csrf function, so set the controller instance to

$action->controller->enableCsrfValidation = false

Next, parent::beforeAction($action) is executed. At this time, the enableCsrfValidation of the controller instance in the passed in $action has changed to false.

In the end, true must be returned, otherwise, the action operation will not be executed.

(4) What if it is partially turned on?

First set

request => [
'enableCookieValidation' => false,
]

in the configuration file to not use csrf globally.

(a) To enable it in the controller, you only need to set

public $enableCsrfValidation = true

and the entire controller will be enabled

(b) To enable it in the action

public function beforeAction($action) {
$currentaction = $action->id;
$accessactions = ['dologin'];
i f(in_array($currentaction,$accessactions)) {
       $action->controller->enableCsrfValidation = true;
 }

    parent::beforeAction($action);
    return true;
}

$accessactions is the name of the action that needs to enable csrf. Set $action->controller->enableCsrfValidation = true, and the current operation can enable csrf.

Related recommendations:

Detailed explanation of how the Yii framework implements logging to custom files

Detailed explanation of Yii framework's simple extension class for batch insertion of data

##Detailed explanation of restful api authorization verification of yii2

The above is the detailed content of Detailed explanation of the local switch of yii2 csrf. For more information, please follow other related articles on the PHP Chinese website!