Class CsrfComponent

Provides CSRF protection & validation.

This component adds a CSRF token to a cookie. The cookie value is compared to request data, or the X-CSRF-Token header on each PATCH, POST, PUT, or DELETE request.

If the request data is missing or does not match the cookie data, an InvalidCsrfTokenException will be raised.

This component integrates with the FormHelper automatically and when used together your forms will have CSRF tokens automatically added when $this->Form->create(...) is used in a view.

Cake\Controller\Component implements Cake\Event\EventListenerInterface uses Cake\Core\InstanceConfigTrait, Cake\Log\LogTrait
Extended by Cake\Controller\Component\CsrfComponent
Namespace: Cake\Controller\Component
Located at Controller/Component/CsrfComponent.php

Method Detail

_setCookiesource protected 

_setCookie( Cake\Network\Request $request , Cake\Network\Response $response )

Set the cookie in the response.

Also sets the request->params['_csrfToken'] so the newly minted token is available in the request data.

Parameters

Cake\Network\Request $request
The request object.
Cake\Network\Response $response
The response object.

_validateTokensource protected 

_validateToken( Cake\Network\Request $request )

Validate the request data against the cookie token.

Parameters

Cake\Network\Request $request
The request to validate against.

Throws

Cake\Network\Exception\InvalidCsrfTokenException
when the CSRF token is invalid or missing.

implementedEventssource public 

implementedEvents( )

Events supported by this component.

Returns

array
array

Overrides

Cake\Controller\Component::implementedEvents()

startupsource public 

startup( Cake\Event\Event $event )

Startup callback.

Validates the CSRF token for POST data. If the request is a GET request, and the cookie value is absent a cookie will be set.

Once a cookie is set it will be copied into request->params['_csrfToken'] so that application and framework code can easily access the csrf token.

RequestAction requests do not get checked, nor will they set a cookie should it be missing.

Parameters

Cake\Event\Event $event
Event instance.

Methods inherited from Cake\Controller\Component

__constructsource public 

__construct( Cake\Controller\ComponentRegistry $registry , array $config [] )

Constructor

Parameters

Cake\Controller\ComponentRegistry $registry
A ComponentRegistry this component can use to lazy load its components
array $config optional []
Array of configuration settings.

__debugInfosource public 

__debugInfo( )

Returns an array that can be used to describe the internal state of this object.

Returns

array
array

__getsource public 

__get( string $name )

Magic method for lazy loading $components.

Parameters

string $name
Name of component to get.

Returns

mixed
A Component object or null.

initializesource public 

initialize( array $config )

Constructor hook method.

Implement this method to avoid having to overwrite the constructor and call parent.

Parameters

array $config
The configuration settings provided to this component.

Methods used from Cake\Core\InstanceConfigTrait

_configDeletesource protected 

_configDelete( string $key )

Delete a single config key

Parameters

string $key
Key to delete.

Throws

Cake\Core\Exception\Exception
if attempting to clobber existing config

_configReadsource protected 

_configRead( string|null $key )

Read a config variable

Parameters

string|null $key
Key to read.

Returns

mixed
mixed

_configWritesource protected 

_configWrite( string|array $key , mixed $value , boolean|string $merge false )

Write a config variable

Parameters

string|array $key
Key to write to.
mixed $value
Value to write.
boolean|string $merge optional false
True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.

Throws

Cake\Core\Exception\Exception
if attempting to clobber existing config

configsource public 

config( string|array|null $key null , mixed|null $value null , boolean $merge true )

Usage

Reading the whole config:

$this->config();

Reading a specific value:

$this->config('key');

Reading a nested value:

$this->config('some.nested.key');

Setting a specific value:

$this->config('key', $value);

Setting a nested value:

$this->config('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->config(['one' => 'value', 'another' => 'value']);

Parameters

string|array|null $key optional null
The key to get/set, or a complete array of configs.
mixed|null $value optional null
The value to set.
boolean $merge optional true
Whether to recursively merge or overwrite existing config, defaults to true.

Returns

mixed
Config value being read, or the object itself on write operations.

Throws

Cake\Core\Exception\Exception
When trying to set a key that is invalid.

configShallowsource public 

configShallow( string|array $key , mixed|null $value null )

Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

Setting a specific value:

$this->config('key', $value);

Setting a nested value:

$this->config('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->config(['one' => 'value', 'another' => 'value']);

Parameters

string|array $key
The key to set, or a complete array of configs.
mixed|null $value optional null
The value to set.

Returns

mixed
$this The object itself.

Methods used from Cake\Log\LogTrait

logsource public 

log( mixed $msg , integer|string $level LogLevel::ERROR , string|array $context [] )

Convenience method to write a message to Log. See Log::write() for more information on writing to logs.

Parameters

mixed $msg
Log message.
integer|string $level optional LogLevel::ERROR
Error level.
string|array $context optional []
Additional log data relevant to this message.

Returns

boolean
Success of log write.

Properties summary

$_defaultConfigsource

protected array

Default config for the CSRF handling.

  • cookieName = The name of the cookie to send. - expiry = How long the CSRF token should last. Defaults to browser session. - secure = Whether or not the cookie will be set with the Secure flag. Defaults to false. - httpOnly = Whether or not the cookie will be set with the HttpOnly flag. Defaults to false. - field = The form field to check. Changing this will also require configuring FormHelper.
[
    'cookieName' => 'csrfToken',
    'expiry' => 0,
    'secure' => false,
    'httpOnly' => false,
    'field' => '_csrfToken',
]

Properties inherited from Cake\Controller\Component

$_componentMapsource

protected array

A component lookup table used to lazy load component objects.

[]

$_registrysource

protected Cake\Controller\ComponentRegistry

Component registry class used to lazy load components.

$componentssource

public array

Other Components this component uses.

[]

$requestsource

public Cake\Network\Request

Request object

$responsesource

public Cake\Network\Response

Response object

Properties used from Cake\Core\InstanceConfigTrait

$_configsource

protected array

Runtime config

[]

$_configInitializedsource

protected boolean

Whether the config property has already been configured with defaults

false

© 2005–2016 The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
http://api.cakephp.org/3.1/class-Cake.Controller.Component.CsrfComponent.html