14

I send same form data from different contollers and subdomain. But in one case I need disable CSRF validation.

Example:

Login form:

  • Location 1: main page example.com

  • Location 2: account.example.com/login

  • Location 3: gate.example.com

And I need disable validation just in case when I send data from location 1 to location 2.

I Used $form = $this->beginWidget('CActiveForm',...

How can I do that?

I supose that csrf cookie is not crossdomain!

4

8 回答 8

30

CSRF 验证发生在加载网页过程的早期,甚​​至在调用控制器之前。您想覆盖 CHttpRequest 类以告诉它忽略某些路由。

在您的文件夹中创建一个protected/components名为HttpRequest.php并添加以下内容的文件。

class HttpRequest extends CHttpRequest
{
    public $noCsrfValidationRoutes=array();

    protected function normalizeRequest()
    {
            //attach event handlers for CSRFin the parent
        parent::normalizeRequest();
            //remove the event handler CSRF if this is a route we want skipped
        if($this->enableCsrfValidation)
        {
            $url=Yii::app()->getUrlManager()->parseUrl($this);
            foreach($this->noCsrfValidationRoutes as $route)
            {
                if(strpos($url,$route)===0)
                    Yii::app()->detachEventHandler('onBeginRequest',array($this,'validateCsrfToken'));
            }
        }
    }
}

然后,protected/config使用以下信息编辑您的配置文件:

    // application components
'components'=>array(
    ....

    'request' => array(
        'enableCsrfValidation' => true,
        'class'=>'HttpRequest',
        'noCsrfValidationRoutes'=>array(
            'controllername/actionname',
        ),
    ),
 )
于 2013-05-29T12:56:51.227 回答
8

要禁用 CSRF,请将此代码添加到您的控制器:

public function beforeAction($action) {
    $this->enableCsrfValidation = false;
    return parent::beforeAction($action);
}
于 2014-06-20T12:36:22.877 回答
4

顾名思义,它是Cross-Site-Request-Forgery,所以不,它不是跨域的,不能是:)

请求组件中启用了 CSRF,因此只需获取请求组件并重新配置它:

Yii::app()->request->enableCsrfValidation = false;

我不太确定把它放在哪里,可能是在行动的开始。

于 2013-05-29T08:06:52.053 回答
3

从控制器禁用您的 CSRF:

class MyController extends Controller
{

    public $enableCsrfValidation = false;

见:https ://yii2-cookbook.readthedocs.io/csrf/#disabling-csrf-protection

于 2016-12-16T16:55:52.893 回答
2

要禁用 csrf,请将其添加到您的 main.php

return array(
'components'=>array(
    'request'=>array(
        'enableCsrfValidation'=>false,
    ),
),
);
于 2016-03-04T09:54:24.750 回答
1

To disable CSRF add this code to your controller:

public function beforeAction($action)
{
    Yii::app()->request->enableCsrfValidation = false;
    return parent::beforeAction($action);
}
于 2015-02-02T15:57:13.327 回答
1

这是对某些操作禁用它的另一种方法

public function beforeAction($action)
{
    Yii::$app->request->enableCsrfValidation = $action->id !== 'index'; //action name to disable CSRF for
    return parent::beforeAction($action);
}
于 2020-07-09T11:51:36.513 回答
0

我这样做与 willem-renzema 的方法略有不同。

<?php
class HttpRequest extends CHttpRequest
{
    public $noCsrfValidationRoutes=array();

    public function validateCsrfToken($event) { 
        $url=Yii::app()->getUrlManager()->parseUrl($this);
        foreach($this->noCsrfValidationRoutes as $route)
        {
            if(strpos($url,$route)===0)
                return true;
        }
        return parent::validateCsrfToken($event);
    }
}

配置它与他的答案相同,但他的方法给了我错误,因为并不总是可以$url=Yii::app()->getUrlManager()->parseUrl($this);normalizeRequest()函数中获取 url。

于 2017-04-26T15:25:44.040 回答