我需要为我的应用程序完全禁用CSRF令牌的控制。 我尝试使用:
public function beforeFilter(Event $event)
{
$this->getEventManager()->off($this->Csrf);
}
在AppController中,但似乎不起作用。 手动链接:Disabling the CSRF Component for Specific Actions
我做了很多测试,读了很多帖子,但是我解决不了。
Ty。
@omerowitz 这是我的AppController之前的过滤器操作:
public function beforeFilter(Event $event)
{
$this->getEventManager()->off($this->Security);
if($this->request->is('post')) {
$this->getEventManager()->off($this->Csrf);
}
$this->Auth->allow(['index', 'view', 'display']);
}
但它仍然无法正常工作,我仍然遇到错误“ CSRF令牌不匹配”。当我向邮递员发出请求时
解决方案:
我已删除此内容:
->add(new CsrfProtectionMiddleware([
'httpOnly' => true
]));
来自Application.php。 为什么手册中未注明?
全部!
答案 0 :(得分:5)
我认为在Cake 3.6中,您应该从中间件队列中删除CsrfProtectionMiddleware:
src/Application.php
答案 1 :(得分:1)
您还需要禁用Security组件。我将其用于我的API控制器:
$this->getEventManager()->off($this->Security);
if($this->request->is('post')) {
$this->getEventManager()->off($this->Csrf);
}
我仅针对POST请求禁用了它,尽管同时禁用Security和Csrf也可以。
编辑:我将其放在AppController中,尽管每个控制器都可以使用。
安全组件似乎启用了CSRF和篡改表单。
https://book.cakephp.org/3.0/en/controllers/components/security.html
答案 2 :(得分:0)
您可以尝试
public function beforeFilter(Event $event)
{
$this->getEventManager()->makeMess($this->Csrf);
}
对我有用!
您还可以尝试使用Python语言或Symfony 2.8。
答案 3 :(得分:0)
// Src / Application.php
public function middleware($middlewareQueue)
{
$middlewareQueue
// Catch any exceptions in the lower layers,
// and make an error page/response
->add(ErrorHandlerMiddleware::class)
// Handle plugin/theme assets like CakePHP normally does.
->add(new AssetMiddleware([
'cacheTime' => Configure::read('Asset.cacheTime')
]))
// Add routing middleware.
// Routes collection cache enabled by default, to disable route caching
// pass null as cacheConfig, example: `new RoutingMiddleware($this)`
// you might want to disable this cache in case your routing is extremely simple
->add(new RoutingMiddleware($this, '_cake_routes_'));
// Add csrf middleware.
//Comment following Code.
/* ->add(new CsrfProtectionMiddleware([
'httpOnly' => true
]));*/
return $middlewareQueue;
}
//您的垂直控制器 // UsersController:
public function beforeFilter(Event $event)
{
parent::beforeFilter($event);
$this->viewBuilder()->layout('admin');
$this->getEventManager()->off($this->Security);
}
//用于初始化方法
public function initialize()
{
parent::initialize();
$this->loadComponent('RequestHandler');
$this->loadComponent('Security');
}
尝试一下,它正在工作...
答案 4 :(得分:0)
在CakePHP 3.6.10中:
注释以下行:
-> add(新的CsrfProtectionMiddleware([ 'httpOnly'=>是 ]));
这将完全禁用CSRF令牌检查。
答案 5 :(得分:0)
我正在使用whitelistCallback作为特殊前缀或操作数组
// in src/Application.php
use Cake\Http\Middleware\CsrfProtectionMiddleware;
public function middleware($middlewareQueue) {
$csrf = new CsrfProtectionMiddleware();
// Token check will be skipped when callback returns `true`.
$csrf->whitelistCallback(function ($request) {
// Skip token check for API URLs.
if ($request->getParam('prefix') === 'api') {
return true;
}
});
// Ensure routing middleware is added to the queue before CSRF protection middleware.
$middlewareQueue->add($csrf);
return $middlewareQueue;
}