Provides CSRF protection & validation.
This component adds a CSRF token to a cookie. The cookie value is compared to request data, or the X-CSRF-Token header on each PATCH, POST, PUT, or DELETE request.
If the request data is missing or does not match the cookie data, an InvalidCsrfTokenException will be raised.
This component integrates with the FormHelper automatically and when used together your forms will have CSRF tokens automatically added when $this->Form->create(...)
is used in a view.
$_defaultConfig
protected array
_setCookie( Cake\Network\Request $request , Cake\Network\Response $response )
Set the cookie in the response.
Also sets the request->params['_csrfToken'] so the newly minted token is available in the request data.
Cake\Network\Request
$request
Cake\Network\Response
$response
_validateToken( Cake\Network\Request $request )
Validate the request data against the cookie token.
Cake\Network\Request
$request
Cake\Network\Exception\InvalidCsrfTokenException
implementedEvents( )
Events supported by this component.
Cake\Controller\Component::implementedEvents()
startup( Cake\Event\Event $event )
Startup callback.
Validates the CSRF token for POST data. If the request is a GET request, and the cookie value is absent a cookie will be set.
Once a cookie is set it will be copied into request->params['_csrfToken'] so that application and framework code can easily access the csrf token.
RequestAction requests do not get checked, nor will they set a cookie should it be missing.
Cake\Event\Event
$event
__construct( Cake\Controller\ComponentRegistry $registry , array $config [] )
Constructor
Cake\Controller\ComponentRegistry
$registry
$config
optional [] __debugInfo( )
Returns an array that can be used to describe the internal state of this object.
__get( string $name )
Magic method for lazy loading $components.
$name
initialize( array $config )
Constructor hook method.
Implement this method to avoid having to overwrite the constructor and call parent.
$config
_configDelete( string $key )
Delete a single config key
$key
Cake\Core\Exception\Exception
_configRead( string|null $key )
Read a config variable
$key
_configWrite( string|array $key , mixed $value , boolean|string $merge false )
Write a config variable
$key
$value
$merge
optional false True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.
Cake\Core\Exception\Exception
config( string|array|null $key null , mixed|null $value null , boolean $merge true )
Reading the whole config:
$this->config();
Reading a specific value:
$this->config('key');
Reading a nested value:
$this->config('some.nested.key');
Setting a specific value:
$this->config('key', $value);
Setting a nested value:
$this->config('some.nested.key', $value);
Updating multiple config settings at the same time:
$this->config(['one' => 'value', 'another' => 'value']);
$key
optional null $value
optional null $merge
optional true Cake\Core\Exception\Exception
configShallow( string|array $key , mixed|null $value null )
Merge provided config with existing config. Unlike config()
which does a recursive merge for nested keys, this method does a simple merge.
Setting a specific value:
$this->config('key', $value);
Setting a nested value:
$this->config('some.nested.key', $value);
Updating multiple config settings at the same time:
$this->config(['one' => 'value', 'another' => 'value']);
$key
$value
optional null log( mixed $msg , integer|string $level LogLevel::ERROR , string|array $context [] )
Convenience method to write a message to Log. See Log::write() for more information on writing to logs.
$msg
$level
optional LogLevel::ERROR $context
optional [] protected array
Default config for the CSRF handling.
[ 'cookieName' => 'csrfToken', 'expiry' => 0, 'secure' => false, 'httpOnly' => false, 'field' => '_csrfToken', ]
© 2005–2016 The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
http://api.cakephp.org/3.2/class-Cake.Controller.Component.CsrfComponent.html