Gitee
\
Acme
Aura
Intl
Exception
Behavior
Boris
Cake
Auth
Storage
Cache
Engine
Chronos
Benchmarks
Chronos
MutableDateTime
Traits
Collection
Iterator
Command
Console
Exception
Controller
Component
Exception
Core
Configure
Engine
Exception
Retry
Database
Driver
Exception
Expression
Log
Retry
Schema
Statement
Type
Datasource
Exception
Error
Middleware
Event
Decorator
Filesystem
Form
Http
Client
Adapter
Auth
Cookie
Exception
Middleware
Session
I18n
Formatter
Middleware
Parser
Log
Engine
Mailer
Exception
Transport
Network
Exception
ORM
Association
Loader
Behavior
Translate
Exception
Locator
Rule
PHPStan
Routing
Exception
Filter
Middleware
Route
Shell
Helper
Task
Test
Fixture
TestSuite
Constraint
Console
Email
Response
Session
View
Fixture
Stub
Utility
Crypto
Exception
Validation
View
Exception
Form
Helper
Widget
Composer
Autoload
Installers
f4engine
engine
Home
Controller
Monolog
Formatter
Handler
Processor
Org
Net
Util
Psr
Http
Message
Log
Test
SimpleCache
Think
Cache
Driver
Controller
Crypt
Driver
Db
Driver
Image
Driver
Log
Driver
Model
Session
Driver
Storage
Driver
Template
Driver
TagLib
Upload
Driver
Bcs
Qiniu
Zend
Diactoros
Exception
Request
Response

\Cake\Controller\ComponentCsrfComponent

Provides CSRF protection & validation.

This component adds a CSRF token to a cookie. The cookie value is compared to request data, or the X-CSRF-Token header on each PATCH, POST, PUT, or DELETE request.

If the request data is missing or does not match the cookie data, an InvalidCsrfTokenException will be raised.

This component integrates with the FormHelper automatically and when used together your forms will have CSRF tokens automatically added when $this->Form->create(...) is used in a view.

Summary

Methods
Properties
Constants
__construct()
getController()
initialize()
__get()
implementedEvents()
__debugInfo()
setConfig()
getConfig()
config()
configShallow()
log()
startup()
$request
$response
$components
No constants found
_configRead()
_configWrite()
_configDelete()
_setCookie()
_validateToken()
$_registry
$_defaultConfig
$_componentMap
$_config
$_configInitialized
N/A
No private methods found
No private properties found
N/A

Properties

$components

$components : array

Other Components this component uses.

Type

array

$_defaultConfig

$_defaultConfig : array

Default config for the CSRF handling.

  • cookieName = The name of the cookie to send.
    • expiry = How long the CSRF token should last. Defaults to browser session.
    • secure = Whether or not the cookie will be set with the Secure flag. Defaults to false.
    • httpOnly = Whether or not the cookie will be set with the HttpOnly flag. Defaults to false.
    • field = The form field to check. Changing this will also require configuring FormHelper.

Type

array

$_componentMap

$_componentMap : array

A component lookup table used to lazy load component objects.

Type

array

$_config

$_config : array

Runtime config

Type

array

$_configInitialized

$_configInitialized : boolean

Whether the config property has already been configured with defaults

Type

boolean

Methods

__construct()

__construct(\Cake\Controller\ComponentRegistry  $registry, array  $config = array())

Constructor

Parameters

\Cake\Controller\ComponentRegistry $registry

A ComponentRegistry this component can use to lazy load its components
array $config

Array of configuration settings.

getController()

getController() : \Cake\Controller\Controller

Get the controller this component is bound to.

Returns

\Cake\Controller\Controller

The bound controller.

initialize()

initialize(array  $config) : void

Warn if CsrfComponent is used together with CsrfProtectionMiddleware

Implement this method to avoid having to overwrite the constructor and call parent.

Parameters

array $config

The config data.

__get()

__get(string  $name) : mixed

Magic method for lazy loading $components.

Parameters

string $name

Name of component to get.

Returns

mixed —

A Component object or null.

implementedEvents()

implementedEvents() : array

Events supported by this component.

Uses Conventions to map controller events to standard component callback method names. By defining one of the callback methods a component is assumed to be interested in the related event.

Override this method if you need to add non-conventional event listeners. Or if you want components to listen to non-standard events.

Returns

array

__debugInfo()

__debugInfo() : array

Returns an array that can be used to describe the internal state of this object.

Returns

array

setConfig()

setConfig(string|array  $key, mixed|null  $value = null, boolean  $merge = true) : $this

Sets the config.

Usage

Setting a specific value:

$this->setConfig('key', $value);

Setting a nested value:

$this->setConfig('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->setConfig(['one' => 'value', 'another' => 'value']);

Parameters

string|array $key

The key to set, or a complete array of configs.
mixed|null $value

The value to set.
boolean $merge

Whether to recursively merge or overwrite existing config, defaults to true.

Throws

\Cake\Core\Exception\Exception

When trying to set a key that is invalid.

Returns

$this

getConfig()

getConfig(string|null  $key = null, mixed  $default = null) : mixed

Returns the config.

Usage

Reading the whole config:

$this->getConfig();

Reading a specific value:

$this->getConfig('key');

Reading a nested value:

$this->getConfig('some.nested.key');

Reading with default value:

$this->getConfig('some-key', 'default-value');

Parameters

string|null $key

The key to get or null for the whole config.
mixed $default

The return value when the key does not exist.

Returns

mixed —

Config value being read.

config()

config(string|array|null  $key = null, mixed|null  $value = null, boolean  $merge = true) : mixed

Gets/Sets the config.

Usage

Reading the whole config:

$this->config();

Reading a specific value:

$this->config('key');

Reading a nested value:

$this->config('some.nested.key');

Setting a specific value:

$this->config('key', $value);

Setting a nested value:

$this->config('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->config(['one' => 'value', 'another' => 'value']);

Parameters

string|array|null $key

The key to get/set, or a complete array of configs.
mixed|null $value

The value to set.
boolean $merge

Whether to recursively merge or overwrite existing config, defaults to true.

Throws

\Cake\Core\Exception\Exception

When trying to set a key that is invalid.

Returns

mixed —

Config value being read, or the object itself on write operations.

configShallow()

configShallow(string|array  $key, mixed|null  $value = null) : $this

Merge provided config with existing config. Unlike `config()` which does a recursive merge for nested keys, this method does a simple merge.

Setting a specific value:

$this->configShallow('key', $value);

Setting a nested value:

$this->configShallow('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->configShallow(['one' => 'value', 'another' => 'value']);

Parameters

string|array $key

The key to set, or a complete array of configs.
mixed|null $value

The value to set.

Returns

$this

log()

log(mixed  $msg, integer|string  $level = \Psr\Log\LogLevel::ERROR, string|array  $context = array()) : boolean

Convenience method to write a message to Log. See Log::write() for more information on writing to logs.

Parameters

mixed $msg

Log message.
integer|string $level

Error level.
string|array $context

Additional log data relevant to this message.

Returns

boolean —

Success of log write.

startup()

startup(\Cake\Event\Event  $event) : void

Startup callback.

Validates the CSRF token for POST data. If the request is a GET request, and the cookie value is absent a cookie will be set.

Once a cookie is set it will be copied into request->getParam('_csrfToken') so that application and framework code can easily access the csrf token.

RequestAction requests do not get checked, nor will they set a cookie should it be missing.

Parameters

\Cake\Event\Event $event

Event instance.

_configRead()

_configRead(string|null  $key) : mixed

Reads a config key.

Parameters

string|null $key

Key to read.

Returns

mixed

_configWrite()

_configWrite(string|array  $key, mixed  $value, boolean|string  $merge = false) : void

Writes a config key.

Parameters

string|array $key

Key to write to.
mixed $value

Value to write.
boolean|string $merge

True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.

Throws

\Cake\Core\Exception\Exception

if attempting to clobber existing config

_configDelete()

_configDelete(string  $key) : void

Deletes a single config key.

Parameters

string $key

Key to delete.

Throws

\Cake\Core\Exception\Exception

if attempting to clobber existing config

_setCookie()

_setCookie(\Cake\Http\ServerRequest  $request, \Cake\Http\Response  $response) : array

Set the cookie in the response.

Also sets the request->params['_csrfToken'] so the newly minted token is available in the request data.

Parameters

\Cake\Http\ServerRequest $request

The request object.
\Cake\Http\Response $response

The response object.

Returns

array —

An array of the modified request, response.

_validateToken()

_validateToken(\Cake\Http\ServerRequest  $request) : void

Validate the request data against the cookie token.

Parameters

\Cake\Http\ServerRequest $request

The request to validate against.

Throws

\Cake\Http\Exception\InvalidCsrfTokenException

when the CSRF token is invalid or missing.