This paper mainly introduces the verification example code of YII2 partial shutdown (open) csrf. Small series feel very good, now share to everyone, also for everyone to make a reference. Follow the small series together to see it, hope to help everyone.
(1) Global use, we set Enablecookievalidation to true directly in the configuration file
request = [ ' enablecookievalidation ' = true,]
If you do not need to use CSRF, set ' enablecookievalidation ' = False, but this is not safe, so Yii2 's yii\web\ The enablecookievalidation in request is set to True by default, and CSRF is turned on by default, so we can also not configure this value, which is turned on by default.
If CSRF is turned on, because this is global, authentication is required on any POST request, so we must set CSRF data to be hidden in the form when we post data.
Copy the Code code as follows:
<input type= "hidden" name= "_csrf" id= ' csrf ' value= "<?= Yii:: $app->request->csrftoken?>" >
Post data must post this value to the past, this value is generated <?= Yii:: $app->request->csrftoken, returns an encrypted csrftoken.
So either the Post form or the Ajax post in the past, you must set Csrftoken this value, and to submit the post to the past. If not, there will be an error that cannot be authenticated.
(2) What if you want to use CSRF verification in some controllers?
Method is simple, set directly
Public $enableCsrfValidation = False,
Because this controller inherits and Yii\web\controller, will be equivalent to inherit from Enablecsrfvalidation this property, then when the controller instance is created, the CSRF function is turned off The method of accessing the post of this controller is not verified.
For example, when we develop the API, where the interface needs the post data to our interface, because the end does not know Csrftoken, so when accessing the post data, if you turn on global CSRF, it must not access the successful. So we need to close the CSRF of this API.
3) If you want to close to a specific action?
Sometimes in some functions, we need to turn off CSRF validation in one action. We know that the validation of CSRF is implemented in the Beforeaction ($Action), and we can override the Beforeaction ($action) method in the controller.
Public Function Beforeaction ($action) { $currentaction = $action->id; $novalidactions = [' Dologin ']; if (In_array ($currentaction, $novalidactions)) { $action->controller->enablecsrfvalidation = false; } Parent::beforeaction ($action); return true; }
Incoming parameter $action is the controller for this access instantiation of the object, which contains a lot of information, you can print to see.
Execute $action->id first to get the current access action name. And $novalidactions is an array, which is the action name, and these are the actions you need to turn off CSRF authentication (you need to turn off CSRF authentication).
If the action of the current access is in this $novalidactions, if so, the action needs to turn off the CSRF function, set the controller instance to
$action->controller->enablecsrfvalidation = False
Then the Parent::beforeaction ($action) is executed, and the enablecsrfvalidation of the controller instance in the incoming $action becomes false.
Finally, be sure to return true, otherwise the action will not be executed down.
(4) If it is partially opened?
First in the configuration file to be set
request = [' enablecookievalidation ' = False,]
CSRF is not used globally.
(a) to be turned on in the controller, just set the
Public $enableCsrfValidation = True
The entire controller will turn on
(b) to open in action
Public Function Beforeaction ($action) {$currentaction = $action->id; $accessactions = [' Dologin '];i F (In_array ($ Currentaction, $accessactions)) { $action->controller->enablecsrfvalidation = true;} Parent::beforeaction ($action); return true;}
$accessactions is the name of the action that needs to turn on CSRF, set $action->controller->enablecsrfvalidation = True, and the current operation can turn on CSRF.