Code for partially turning on and off CSRF verification in yii2

This article mainly introduces you to the example code of yii2 partially closing (opening) csrf verification. The editor thinks it’s pretty good, so I’d like to share it with you now and give it as a reference. Let’s follow the editor to take a look, I hope it can help everyone.

(1) For global use, we directly set enableCookieValidation to true in the configuration file

request => [ 
  'enableCookieValidation' => true, 
]

If you do not need to use csrf , set 'enableCookieValidation' => false, but this is unsafe, so enableCookieValidation in yii\web\request of yii2 is set to true by default, which means csrf is enabled by default, so we can also not configure this value. Enabled by default.

If you enable csrf, because it is global, authentication will be required for any post request, so when we post data, we must set the csrf data to be hidden in the form.

Copy code The code is as follows:

cac4f2c82ca88228e95b7c3f0746760brequest->csrfToken ?>">

When posting data, you must post this value. The generation of this value383effb76a410f3838d3b14ab8483ff7request->csrfToken ?>, returns an encrypted csrfToken.

So whether it is a post form or an ajax post, the value of csrfToken must be set, and it must be posted when submitting. If not, an error will occur and authentication will not pass.

(2) If you don’t want to use csrf verification in some controllers, what should you do?

The method is very simple, just set it directly

public $enableCsrfValidation = false ,

Because this Controller inherits from yii\web\Controller, it will be equivalent to inheriting from With the attribute enableCsrfValidation, when creating a controller instance, the csrf function will be turned off in this controller, and verification will not be performed when accessing the post of this controller.

For example, when we develop the API, when the WeChat interface needs to post data to our interface, since the WeChat side does not know the csrfToken, when accessing the post data, if it is turned on If it is a global csrf, it will definitely not be accessible successfully. So at this time, you need to turn off the csrf of this API.

3) What if you want to specifically close a certain action?

Sometimes in some functions, we need to turn off csrf verification in a certain action. We know that the verification of csrf is implemented in beforeAction($Action). Next we can rewrite the beforeAction($action) method in the Controller

public function beforeAction($action) { 
 
  $currentaction = $action->id; 
 
  $novalidactions = ['dologin']; 
 
  if(in_array($currentaction,$novalidactions)) { 
 
    $action->controller->enableCsrfValidation = false; 
  } 
  parent::beforeAction($action); 
 
  return true; 
}

pass in The parameter $action is the object instantiated by the controller for this access. It contains a lot of information, which you can print and see.

First execute $action->id to obtain the current accessed action name. And $novalidactions is an array, which contains the action names. These actions are all operations that you need to turn off CSRF authentication (operations that need to turn off CSRF authentication).

Whether the current accessed action is in this $novalidactions? If it is, it means that this action needs to turn off the csrf function, so set this controller instance to

$action->controller->enableCsrfValidation = false

Next, parent::beforeAction($action) is executed. At this time, the enableCsrfValidation of the controller instance in the incoming $action has changed to false.

In the end, true must be returned, otherwise, the action operation will not be executed.

(4) What if it is partially turned on?

First, set

request => [
'enableCookieValidation' => false,
]

in the configuration file to not use csrf globally.

(a) To enable it in the controller, you only need to set

public $enableCsrfValidation = true

and the entire controller will be enabled

(b) To enable

public function beforeAction($action) {
$currentaction = $action->id;
$accessactions = ['dologin'];
i f(in_array($currentaction,$accessactions)) {
       $action->controller->enableCsrfValidation = true;
 }

    parent::beforeAction($action);
    return true;
}

in action $accessactions is the name of the action that needs to enable csrf, and set $action->controller->enableCsrfValidation = true, the current operation can enable csrf.

Related recommendations:

Detailed explanation of the local switch of yii2 csrf

Solution to the 400 error after enabling CSRf

Yii2.0 defense csrf attack method

The above is the detailed content of Code for partially turning on and off CSRF verification in yii2. For more information, please follow other related articles on the PHP Chinese website!