search
HomeBackend DevelopmentPHP TutorialCode for partially turning on and off CSRF verification in yii2

This article mainly introduces you to the example code of yii2 partially closing (opening) csrf verification. The editor thinks it’s pretty good, so I’d like to share it with you now and give it as a reference. Let’s follow the editor to take a look, I hope it can help everyone.

(1) For global use, we directly set enableCookieValidation to true in the configuration file


request => [ 
  'enableCookieValidation' => true, 
]

If you do not need to use csrf , set 'enableCookieValidation' => false, but this is unsafe, so enableCookieValidation in yii\web\request of yii2 is set to true by default, which means csrf is enabled by default, so we can also not configure this value. Enabled by default.

If you enable csrf, because it is global, authentication will be required for any post request, so when we post data, we must set the csrf data to be hidden in the form.

Copy code The code is as follows:



When posting data, you must post this value. The generation of this value= Yii ::$app->request->csrfToken ?>, returns an encrypted csrfToken.

So whether it is a post form or an ajax post, the value of csrfToken must be set, and it must be posted when submitting. If not, an error will occur and authentication will not pass.

(2) If you don’t want to use csrf verification in some controllers, what should you do?

The method is very simple, just set it directly


public $enableCsrfValidation = false ,

Because this Controller inherits from yii\web\Controller, it will be equivalent to inheriting from With the attribute enableCsrfValidation, when creating a controller instance, the csrf function will be turned off in this controller, and verification will not be performed when accessing the post of this controller.

For example, when we develop the API, when the WeChat interface needs to post data to our interface, since the WeChat side does not know the csrfToken, when accessing the post data, if it is turned on If it is a global csrf, it will definitely not be accessible successfully. So at this time, you need to turn off the csrf of this API.

3) What if you want to specifically close a certain action?

Sometimes in some functions, we need to turn off csrf verification in a certain action. We know that the verification of csrf is implemented in beforeAction($Action). Next we can rewrite the beforeAction($action) method in the Controller


public function beforeAction($action) { 
 
  $currentaction = $action->id; 
 
  $novalidactions = ['dologin']; 
 
  if(in_array($currentaction,$novalidactions)) { 
 
    $action->controller->enableCsrfValidation = false; 
  } 
  parent::beforeAction($action); 
 
  return true; 
}

pass in The parameter $action is the object instantiated by the controller for this access. It contains a lot of information, which you can print and see.

First execute $action->id to obtain the current accessed action name. And $novalidactions is an array, which contains the action names. These actions are all operations that you need to turn off CSRF authentication (operations that need to turn off CSRF authentication).

Whether the current accessed action is in this $novalidactions? If it is, it means that this action needs to turn off the csrf function, so set this controller instance to


$action->controller->enableCsrfValidation = false

Next, parent::beforeAction($action) is executed. At this time, the enableCsrfValidation of the controller instance in the incoming $action has changed to false.

In the end, true must be returned, otherwise, the action operation will not be executed.

(4) What if it is partially turned on?

First, set


request => [
'enableCookieValidation' => false,
]

in the configuration file to not use csrf globally.

(a) To enable it in the controller, you only need to set


public $enableCsrfValidation = true

and the entire controller will be enabled

(b) To enable


public function beforeAction($action) {
$currentaction = $action->id;
$accessactions = ['dologin'];
i f(in_array($currentaction,$accessactions)) {
       $action->controller->enableCsrfValidation = true;
 }

    parent::beforeAction($action);
    return true;
}

in action $accessactions is the name of the action that needs to enable csrf, and set $action->controller->enableCsrfValidation = true, the current operation can enable csrf.

Related recommendations:

Detailed explanation of the local switch of yii2 csrf

Solution to the 400 error after enabling CSRf

Yii2.0 defense csrf attack method

The above is the detailed content of Code for partially turning on and off CSRF verification in yii2. For more information, please follow other related articles on the PHP Chinese website!

Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
win11快速启动有必要关闭吗win11快速启动有必要关闭吗Jun 29, 2023 pm 03:10 PM

win11快速启动有必要关闭吗?win11的快速启动可以帮助用户快速完成电脑开机,十分方便。但是也有不少用户认为正常启动比起快速启动,更能让电脑硬件进行充分休息。那么win11的快速启动和正常启动模式到底有什么区别呢?快速启动功能有必要进行关闭吗?今天小编就来给大家详细说明一下吧。win11快速启动和正常启动区别介绍快速启动就是你的电脑没有实现根本意义上的关机。电脑在关机或者休眠后,计算机的内存是无法存储文件的,所以电脑会将内存中的所有内容保存到硬盘中,生成一个指定的文件,而在唤醒休眠或者再次开

Win11怎样关闭445端口Win11怎样关闭445端口Jul 04, 2023 pm 12:17 PM

  Win11怎样关闭445端口?445号端口是一个TCP端口,是一个共享文件夹和打印机端口,在局域网内提供文件或打印机共享服务。近期有部分Win11用户想要关闭445端口,那么应该如何操作呢?很多小伙伴不知道怎么详细操作,小编下面整理了Win11关闭445端口的详细操作,如果你感兴趣的话,跟着小编一起往下看看吧!  Win11关闭445端口的详细操作  1、首先,按Win+S组合键,或点击底部任务栏上的搜索图标,打开的Windows搜索窗口,顶部输入Windows防火墙,然后点击系统给出的最佳

win10电脑如何关闭语音识别功能win10电脑如何关闭语音识别功能Jun 29, 2023 pm 05:07 PM

win10电脑如何关闭语音识别功能?相信有很多时候用户使用电脑时都会通过语音识别来快速的完成其他操作。不过也有部分用户在使用电脑的过程中不想要使用这个功能,那么我们要如何去关闭这个语音识别功能呢?下面就和小编一起来看看Win10关闭语音识别的攻略吧。Win10关闭语音识别的攻略1、在开始菜单单击鼠标右键,选择控制面板2、将控制面板【查看方式】修改为大图标,在下面点击语音识别3、点击左侧的高级语音选项4、将下面启动时运行语音识别前面的勾去掉,点击确定即可。

Win7怎么关闭3D加快?Win7关掉3D加快的方式Win7怎么关闭3D加快?Win7关掉3D加快的方式Jul 07, 2023 pm 04:29 PM

尽管说3D加快可以让视觉冲击有一定的提高,但3D加快作用十分占有运行内存,许多朋友要想关掉这一作用却不知怎么实际操作,那麼碰到这样的情况该怎么办呢?下边就和小编一起来看一看是如何解决的吧。Win7关掉3D加快的方式1、按住“win+r”键盘快捷键,开启运行窗口键入“dxdiag”按回车键开启DirectX确诊专用工具。2、随后将页面转换到“表明”查询,就可以查询到系统软件是不是打开3d加快。3、随后退回到桌面,再度按“win+r”键盘快捷键,开启运行窗口键入“regedit”按回车键开启注册表编

如何停用Win7交互式服务检测?如何停用Win7交互式服务检测?Jun 30, 2023 am 09:33 AM

win7交互式服务检测怎么关闭?各位在使用电脑的过程中,是否有遇到过交互式服务检测这一提示窗口呢?该窗口一般都是由于病毒入侵导致的系统自动防护所引起的,因此我们需要对其十分重视,各位在关闭其之前,最好对电脑进行一次全面杀毒,那么,我们究竟要怎么关闭交互式服务检测这一窗口呢?下面就由小编为大家带来win7交互式服务检测关闭方法。win7交互式服务检测关闭方法1、首先按下左下角的“开始”按钮,然后在弹出的菜单窗口里点击“控制面板”选项。2、把“管理工具”打开后,接下来再点击“服务”。3、接着找到名为

PHP Session 跨域与跨站请求伪造的对比分析PHP Session 跨域与跨站请求伪造的对比分析Oct 12, 2023 pm 12:58 PM

PHPSession跨域与跨站请求伪造的对比分析随着互联网的发展,Web应用程序的安全性显得格外重要。在开发Web应用程序时,PHPSession是一种常用的身份验证和会话跟踪机制,而跨域请求和跨站请求伪造(CSRF)则是两种主要的安全威胁。为了保护用户数据和应用程序的安全性,开发人员需要了解Session跨域和CSRF的区别,并采

PHP 框架安全指南:如何防止 CSRF 攻击?PHP 框架安全指南:如何防止 CSRF 攻击?Jun 01, 2024 am 10:36 AM

PHP框架安全指南:如何防止CSRF攻击?跨站点请求伪造(CSRF)攻击是一种网络攻击,其中攻击者诱骗用户在受害者的网络应用程序中执行非预期操作。CSRF如何工作?CSRF攻击利用了一个事实:大多数Web应用程序允许在同一个域名内不同页面之间发送请求。攻击者创建恶意页面,该页面向受害者的应用程序发送请求,触发未经授权的操作。如何防止CSRF攻击?1.使用反CSRF令牌:向每个用户分配一个唯一的令牌,将其存储在会话或Cookie中。在应用程序中包含一个隐藏字段,用于提交该令牌

Laravel中的跨站脚本攻击(XSS)和跨站请求伪造(CSRF)防护Laravel中的跨站脚本攻击(XSS)和跨站请求伪造(CSRF)防护Aug 13, 2023 pm 04:43 PM

Laravel中的跨站脚本攻击(XSS)和跨站请求伪造(CSRF)防护随着互联网的发展,网络安全问题也变得越来越严峻。其中,跨站脚本攻击(Cross-SiteScripting,XSS)和跨站请求伪造(Cross-SiteRequestForgery,CSRF)是最为常见的攻击手段之一。Laravel作为一款流行的PHP开发框架,为用户提供了多种安全机

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
1 months agoBy尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Safe Exam Browser

Safe Exam Browser

Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.

SublimeText3 Linux new version

SublimeText3 Linux new version

SublimeText3 Linux latest version

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)