在这里,我们有cakephp版本3.7.2。
Cakephp在浏览器中将Csrf设置为cookie,但我们要从没有设置cookie的移动应用程序[Android]调用Api。
通过评论,我成功地在 localhost 中禁用了Csrf:
$routes->applyMiddleware('csrf'); //configs/routes.php
在此之后,cookie不会自动设置。
我的问题是,当我将其发布到服务器上(在线)时,仍在浏览器中设置的项目cookie。
注意:我们使用了SSL域(https)
答案 0 :(得分:1)
在Cakephp中,要禁用CSRF中间件,您必须在CsrfProtectionMiddleware中注释/src/Application.php
public function middleware($middlewareQueue)
{
$middlewareQueue
// Catch any exceptions in the lower layers,
// and make an error page/response
->add(ErrorHandlerMiddleware::class)
// Handle plugin/theme assets like CakePHP normally does.
->add(new AssetMiddleware([
'cacheTime' => Configure::read('Asset.cacheTime')
]))
// Add routing middleware.
// Routes collection cache enabled by default, to disable route caching
// pass null as cacheConfig, example: `new RoutingMiddleware($this)`
// you might want to disable this cache in case your routing is extremely simple
->add(new RoutingMiddleware($this, '_cake_routes_'));
// Add csrf middleware. // comment these lines
// ->add(new CsrfProtectionMiddleware([
// 'httpOnly' => true
// ]));
return $middlewareQueue;
}
Cakephp -> Middleware -> Cross Site Request Forgery (CSRF) Middleware
希望这会有所帮助!