Class CsrfComponent

Provides CSRF protection & validation.

This component adds a CSRF token to a cookie. The cookie value is compared to request data, or the X-CSRF-Token header on each PATCH, POST, PUT, or DELETE request.

If the request data is missing or does not match the cookie data, an InvalidCsrfTokenException will be raised.

This component integrates with the FormHelper automatically and when used together your forms will have CSRF tokens automatically added when $this->Form->create(...) is used in a view.

Cake\Controller\Component implements Cake\Event\EventListenerInterface uses Cake\Core\InstanceConfigTrait , Cake\Log\LogTrait

Cake\Controller\Component\CsrfComponent

Namespace: Cake\Controller\Component
Deprecated: 3.5.0 Use Cake\Http\Middleware\CsrfProtectionMiddleware instead.
Location: Controller/Component/CsrfComponent.php

Properties summary

$_defaultConfig protected

array

Default config for the CSRF handling.

Inherited Properties

_componentMap, _registry, components, request, response _config, _configInitialized

Method Summary

_setCookie() protected

Set the cookie in the response.
_validateToken() protected

Validate the request data against the cookie token.
implementedEvents() public

Events supported by this component.
initialize() public

Warn if CsrfComponent is used together with CsrfProtectionMiddleware
startup() public

Startup callback.

Method Detail

_setCookie() protected ¶

_setCookie( Cake\Http\ServerRequest $request , Cake\Http\Response $response )

Set the cookie in the response.

Also sets the request->params['_csrfToken'] so the newly minted token is available in the request data.

Parameters

Cake\Http\ServerRequest $request: The request object.
Cake\Http\Response $response: The response object.

Returns

array
An array of the modified request, response.

_validateToken() protected ¶

_validateToken( Cake\Http\ServerRequest $request )

Validate the request data against the cookie token.

Parameters

Cake\Http\ServerRequest $request: The request to validate against.

Throws

Cake\Http\Exception\InvalidCsrfTokenException
when the CSRF token is invalid or missing.

implementedEvents() public ¶

implementedEvents( )

Events supported by this component.

Returns

array

Overrides

Cake\Controller\Component::implementedEvents()

initialize() public ¶

initialize( array $config )

Warn if CsrfComponent is used together with CsrfProtectionMiddleware

Parameters

array $config: The config data.

Overrides

Cake\Controller\Component::initialize()

startup() public ¶

startup( Cake\Event\Event $event )

Startup callback.

Validates the CSRF token for POST data. If the request is a GET request, and the cookie value is absent a cookie will be set.

Once a cookie is set it will be copied into request->getParam('_csrfToken') so that application and framework code can easily access the csrf token.

RequestAction requests do not get checked, nor will they set a cookie should it be missing.

Parameters

Cake\Event\Event $event: Event instance.

Methods inherited from Cake\Controller\Component

__construct() public ¶

__construct( Cake\Controller\ComponentRegistry $registry , array $config [] )

Constructor

Parameters

Cake\Controller\ComponentRegistry $registry: A ComponentRegistry this component can use to lazy load its components
array $config optional []: Array of configuration settings.

__debugInfo() public ¶

__debugInfo( )

Returns an array that can be used to describe the internal state of this object.

Returns

array

__get() public ¶

__get( string $name )

Magic method for lazy loading $components.

Parameters

string $name: Name of component to get.

Returns

mixed
A Component object or null.

getController() public ¶

getController( )

Get the controller this component is bound to.

Returns

Cake\Controller\Controller
The bound controller.

Methods used from Cake\Core\InstanceConfigTrait

_configDelete() protected ¶

_configDelete( string $key )

Deletes a single config key.

Parameters

string $key: Key to delete.

Throws

Cake\Core\Exception\Exception
if attempting to clobber existing config

_configRead() protected ¶

_configRead( string|null $key )

Reads a config key.

Parameters

string|null $key: Key to read.

Returns

mixed

_configWrite() protected ¶

_configWrite( string|array $key , mixed $value , boolean|string $merge false )

Writes a config key.

Parameters

string|array $key: Key to write to.
mixed $value: Value to write.
boolean|string $merge optional false: True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.

Throws

Cake\Core\Exception\Exception
if attempting to clobber existing config

config() public ¶

config( string|array|null $key null , mixed|null $value null , boolean $merge true )

Gets/Sets the config.

Usage

Reading the whole config:

$this->config();

Reading a specific value:

$this->config('key');

Reading a nested value:

$this->config('some.nested.key');

Setting a specific value:

$this->config('key', $value);

Setting a nested value:

$this->config('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->config(['one' => 'value', 'another' => 'value']);

Parameters

string|array|null $key optional null: The key to get/set, or a complete array of configs.
mixed|null $value optional null: The value to set.
boolean $merge optional true: Whether to recursively merge or overwrite existing config, defaults to true.

Returns

mixed
Config value being read, or the object itself on write operations.

Throws

Cake\Core\Exception\Exception
When trying to set a key that is invalid.

configShallow() public ¶

configShallow( string|array $key , mixed|null $value null )

Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

Setting a specific value:

$this->configShallow('key', $value);

Setting a nested value:

$this->configShallow('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->configShallow(['one' => 'value', 'another' => 'value']);

Parameters

string|array $key: The key to set, or a complete array of configs.
mixed|null $value optional null: The value to set.

Returns

$this

getConfig() public ¶

getConfig( string|null $key null , mixed $default null )

Returns the config.

Usage

Reading the whole config:

$this->getConfig();

Reading a specific value:

$this->getConfig('key');

Reading a nested value:

$this->getConfig('some.nested.key');

Reading with default value:

$this->getConfig('some-key', 'default-value');

Parameters

string|null $key optional null: The key to get or null for the whole config.
mixed $default optional null: The return value when the key does not exist.

Returns

mixed
Config value being read.

setConfig() public ¶

setConfig( string|array $key , mixed|null $value null , boolean $merge true )

Sets the config.

Usage

Setting a specific value:

$this->setConfig('key', $value);

Setting a nested value:

$this->setConfig('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->setConfig(['one' => 'value', 'another' => 'value']);

Parameters

string|array $key: The key to set, or a complete array of configs.
mixed|null $value optional null: The value to set.
boolean $merge optional true: Whether to recursively merge or overwrite existing config, defaults to true.

Returns

$this

Throws

Cake\Core\Exception\Exception
When trying to set a key that is invalid.

Methods used from Cake\Log\LogTrait

log() public ¶

log( mixed $msg , integer|string $level LogLevel::ERROR , string|array $context [] )

Convenience method to write a message to Log. See Log::write() for more information on writing to logs.

Parameters

mixed $msg: Log message.
integer|string $level optional LogLevel::ERROR: Error level.
string|array $context optional []: Additional log data relevant to this message.

Returns

boolean
Success of log write.

Properties detail

`$_defaultConfig` ¶

protected array

Default config for the CSRF handling.

cookieName = The name of the cookie to send.
- expiry = How long the CSRF token should last. Defaults to browser session.
- secure = Whether or not the cookie will be set with the Secure flag. Defaults to false.
- httpOnly = Whether or not the cookie will be set with the HttpOnly flag. Defaults to false.
- field = The form field to check. Changing this will also require configuring FormHelper.

[
    'cookieName' => 'csrfToken',
    'expiry' => 0,
    'secure' => false,
    'httpOnly' => false,
    'field' => '_csrfToken',
]

Namespaces

Classes

Class CsrfComponent

Properties summary

Inherited Properties

Method Summary

_setCookie() protected

_validateToken() protected

implementedEvents() public

initialize() public

startup() public

Method Detail

_setCookie() protected ¶

Parameters

Returns

_validateToken() protected ¶

Parameters

Throws

implementedEvents() public ¶

Returns

Overrides

initialize() public ¶

Parameters

Overrides

startup() public ¶

Parameters

Methods inherited from Cake\Controller\Component

__construct() public ¶

Parameters

__debugInfo() public ¶

Returns

__get() public ¶

Parameters

Returns

getController() public ¶

Returns

Methods used from Cake\Core\InstanceConfigTrait

_configDelete() protected ¶

Parameters

Throws

_configRead() protected ¶

Parameters

Returns

_configWrite() protected ¶

Parameters

Throws

config() public ¶

Usage

Parameters

Returns

Throws

configShallow() public ¶

Parameters

Returns

getConfig() public ¶

Usage

Parameters

Returns

setConfig() public ¶

Usage

Parameters

Returns

Throws

Methods used from Cake\Log\LogTrait

log() public ¶

Parameters

Returns

Properties detail

$_defaultConfig ¶

`$_defaultConfig` ¶