Backend Development
PHP Tutorial
Code for partially turning on and off CSRF verification in yii2
Code for partially turning on and off CSRF verification in yii2
This article mainly introduces you to the example code of yii2 partially closing (opening) csrf verification. The editor thinks it’s pretty good, so I’d like to share it with you now and give it as a reference. Let’s follow the editor to take a look, I hope it can help everyone.
(1) For global use, we directly set enableCookieValidation to true in the configuration file
request => [ 'enableCookieValidation' => true, ]
If you do not need to use csrf , set 'enableCookieValidation' => false, but this is unsafe, so enableCookieValidation in yii\web\request of yii2 is set to true by default, which means csrf is enabled by default, so we can also not configure this value. Enabled by default.
If you enable csrf, because it is global, authentication will be required for any post request, so when we post data, we must set the csrf data to be hidden in the form.
Copy code The code is as follows:
When posting data, you must post this value. The generation of this valuerequest->csrfToken ?>, returns an encrypted csrfToken.
So whether it is a post form or an ajax post, the value of csrfToken must be set, and it must be posted when submitting. If not, an error will occur and authentication will not pass.
(2) If you don’t want to use csrf verification in some controllers, what should you do?
The method is very simple, just set it directly
public $enableCsrfValidation = false ,
Because this Controller inherits from yii\web\Controller, it will be equivalent to inheriting from With the attribute enableCsrfValidation, when creating a controller instance, the csrf function will be turned off in this controller, and verification will not be performed when accessing the post of this controller.
For example, when we develop the API, when the WeChat interface needs to post data to our interface, since the WeChat side does not know the csrfToken, when accessing the post data, if it is turned on If it is a global csrf, it will definitely not be accessible successfully. So at this time, you need to turn off the csrf of this API.
3) What if you want to specifically close a certain action?
Sometimes in some functions, we need to turn off csrf verification in a certain action. We know that the verification of csrf is implemented in beforeAction($Action). Next we can rewrite the beforeAction($action) method in the Controller
public function beforeAction($action) {
$currentaction = $action->id;
$novalidactions = ['dologin'];
if(in_array($currentaction,$novalidactions)) {
$action->controller->enableCsrfValidation = false;
}
parent::beforeAction($action);
return true;
}pass in The parameter $action is the object instantiated by the controller for this access. It contains a lot of information, which you can print and see.
First execute $action->id to obtain the current accessed action name. And $novalidactions is an array, which contains the action names. These actions are all operations that you need to turn off CSRF authentication (operations that need to turn off CSRF authentication).
Whether the current accessed action is in this $novalidactions? If it is, it means that this action needs to turn off the csrf function, so set this controller instance to
$action->controller->enableCsrfValidation = false
Next, parent::beforeAction($action) is executed. At this time, the enableCsrfValidation of the controller instance in the incoming $action has changed to false.
In the end, true must be returned, otherwise, the action operation will not be executed.
(4) What if it is partially turned on?
First, set
request => [ 'enableCookieValidation' => false, ]
in the configuration file to not use csrf globally.
(a) To enable it in the controller, you only need to set
public $enableCsrfValidation = true
and the entire controller will be enabled
(b) To enable
public function beforeAction($action) {
$currentaction = $action->id;
$accessactions = ['dologin'];
i f(in_array($currentaction,$accessactions)) {
$action->controller->enableCsrfValidation = true;
}
parent::beforeAction($action);
return true;
} in action $accessactions is the name of the action that needs to enable csrf, and set $action->controller->enableCsrfValidation = true, the current operation can enable csrf.
Related recommendations:
Detailed explanation of the local switch of yii2 csrf
Solution to the 400 error after enabling CSRf
Yii2.0 defense csrf attack method
The above is the detailed content of Code for partially turning on and off CSRF verification in yii2. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1386
52
How to turn off the ads recommended by 360 Browser? How to turn off ads recommended by 360 Browser on PC?
Mar 14, 2024 am 09:16 AM
How to turn off the ads recommended by 360 Browser? I believe that many users are using 360 Browser, but this browser sometimes pops up advertisements, which makes many users very distressed. Let this site carefully introduce to users how to Turn off the ads recommended by 360 Browser on your computer. How to turn off the ads recommended by 360 Browser on your computer? Method 1: 1. Open 360 Safe Browser. 2. Find the "three horizontal bars" logo in the upper right corner and click [Settings]. 3. Find [Lab] in the taskbar on the left side of the pop-up interface, and check [Enable "360 Hotspot Information" function]. Method 2: 1. First double-click
How to turn off Sina News Express? How to turn off the express function?
Mar 12, 2024 pm 09:46 PM
Sina News software provides a lot of news headline information, which is basically pushed by the official platform. The content of each news article is authentic. You can swipe up and down to search and browse with one click, making the overall reading atmosphere more comfortable. Enter your mobile phone number to log in online. News channels in different fields are open. The 24-hour updates are not repeated. There is no shortage of domestic, foreign and local current affairs news. Swipe up and down to select one-click browsing. The news content is all If you are interested, you can also turn off the news express function, so that it will not be affected. You can open it at any time and preview the massive hot news headlines. Now the editor will provide details to Sina News users online. Operation steps of express delivery function. Find Sina News and click on the lower right corner
How to close password-free payment in Kuaishou Kuaishou tutorial on how to close password-free payment
Mar 23, 2024 pm 09:21 PM
Kuaishou is an excellent video player. The password-free payment function in Kuaishou is very familiar to everyone. It can be of great help to us in daily life, especially when purchasing the goods we need on the platform. Okay, let’s go and pay. Now we have to cancel it. How can we cancel it? How can we effectively cancel the password-free payment function? The method of canceling password-free payment is very simple. The specific operation methods have been sorted out. Let’s go through it together. Let’s take a look at the entire guide on this site, I hope it can help everyone. Tutorial on how to close password-free payment in Kuaishou 1. Open the Kuaishou app and click on the three horizontal lines in the upper left corner. 2. Click Kuaishou Store. 3. In the options bar above, find password-free payment and click on it. 4. Click to support
Detailed explanation of how to turn off Windows 11 Security Center
Mar 27, 2024 pm 03:27 PM
In the Windows 11 operating system, the Security Center is an important function that helps users monitor the system security status, defend against malware, and protect personal privacy. However, sometimes users may need to temporarily turn off Security Center, such as when installing certain software or performing system tuning. This article will introduce in detail how to turn off the Windows 11 Security Center to help you operate the system correctly and safely. 1. How to turn off Windows 11 Security Center In Windows 11, turning off the Security Center does not
Detailed explanation of how to turn off real-time protection in Windows Security Center
Mar 27, 2024 pm 02:30 PM
As one of the operating systems with the largest number of users in the world, Windows operating system has always been favored by users. However, when using Windows systems, users may encounter many security risks, such as virus attacks, malware and other threats. In order to strengthen system security, Windows systems have many built-in security protection mechanisms, one of which is the real-time protection function of Windows Security Center. Today, we will introduce in detail how to turn off real-time protection in Windows Security Center. First, let's
How can I turn on the private message mode when the other party in the TikTok private message has turned off the private message mode? Can I see if the person I send a private message to has turned off the private message mode?
Mar 28, 2024 am 08:01 AM
Douyin is a popular short video social platform that allows users to simply record their lives and share their happiness. The private messaging function plays an important role in Douyin and is one of the main ways for users to interact with each other. Sometimes, users may encounter a situation where the other party has turned off the private message mode, resulting in the inability to send messages. 1. How can I turn on the private message mode if the other party in the Douyin private message has turned off the private message mode? 1. Confirm whether the other party has enabled privacy settings. First, we should confirm whether the other party has enabled privacy settings, which may have restricted the reception of private messages. If they have settings that only allow private messages from acquaintances, we can try to contact them through other means, such as through mutual friends or interactions on social media platforms. 2. Send a friend request. If the other party has not turned on privacy settings, then we
How to turn off Security Center in Windows 11
Mar 28, 2024 am 10:21 AM
Windows 11 is the latest operating system version launched by Microsoft. Compared with previous versions, Windows 11 has stricter management and monitoring of system security. One of the important functions is the security center. Security Center can help users manage and monitor the security status of the system to ensure that the system is protected from malware and other security threats. Although Security Center is important for protecting system security, sometimes users may want to turn off Security Center due to personal needs or other reasons. This article will introduce how to use W
Where to turn off Dolby Atmos in opporeno5_How to disable Dolby Atmos in opporeno5
Mar 25, 2024 pm 04:41 PM
1. Click Sound and Vibration in the phone settings. 2. Click Dolby Atmos. 3. Turn off the switch behind Dolby Atmos.
