Gitee
\
Acme
Aura
Intl
Exception
Behavior
Boris
Cake
Auth
Storage
Cache
Engine
Chronos
Benchmarks
Chronos
MutableDateTime
Traits
Collection
Iterator
Command
Console
Exception
Controller
Component
Exception
Core
Configure
Engine
Exception
Retry
Database
Driver
Exception
Expression
Log
Retry
Schema
Statement
Type
Datasource
Exception
Error
Middleware
Event
Decorator
Filesystem
Form
Http
Client
Adapter
Auth
Cookie
Exception
Middleware
Session
I18n
Formatter
Middleware
Parser
Log
Engine
Mailer
Exception
Transport
Network
Exception
ORM
Association
Loader
Behavior
Translate
Exception
Locator
Rule
PHPStan
Routing
Exception
Filter
Middleware
Route
Shell
Helper
Task
Test
Fixture
TestSuite
Constraint
Console
Email
Response
Session
View
Fixture
Stub
Utility
Crypto
Exception
Validation
View
Exception
Form
Helper
Widget
Composer
Autoload
Installers
f4engine
engine
Home
Controller
Monolog
Formatter
Handler
Processor
Org
Net
Util
Psr
Http
Message
Log
Test
SimpleCache
Think
Cache
Driver
Controller
Crypt
Driver
Db
Driver
Image
Driver
Log
Driver
Model
Session
Driver
Storage
Driver
Template
Driver
TagLib
Upload
Driver
Bcs
Qiniu
Zend
Diactoros
Exception
Request
Response

\Cake\Http\MiddlewareCsrfProtectionMiddleware

Provides CSRF protection & validation.

This middleware adds a CSRF token to a cookie. The cookie value is compared to request data, or the X-CSRF-Token header on each PATCH, POST, PUT, or DELETE request.

If the request data is missing or does not match the cookie data, an InvalidCsrfTokenException will be raised.

This middleware integrates with the FormHelper automatically and when used together your forms will have CSRF tokens automatically added when $this->Form->create(...) is used in a view.

Summary

Methods
Properties
Constants
__construct()
__invoke()
No public properties found
No constants found
_validateAndUnsetTokenField()
_createToken()
_addTokenToRequest()
_addTokenCookie()
_validateToken()
$_defaultConfig
$_config
N/A
No private methods found
No private properties found
N/A

Properties

$_defaultConfig

$_defaultConfig : array

Default config for the CSRF handling.

  • cookieName The name of the cookie to send.
    • expiry A strotime compatible value of how long the CSRF token should last. Defaults to browser session.
    • secure Whether or not the cookie will be set with the Secure flag. Defaults to false.
    • httpOnly Whether or not the cookie will be set with the HttpOnly flag. Defaults to false.
    • field The form field to check. Changing this will also require configuring FormHelper.

Type

array

$_config

$_config : array

Configuration

Type

array

Methods

__construct()

__construct(array  $config = array())

Constructor

Parameters

array $config

Config options. See $_defaultConfig for valid keys.

__invoke()

__invoke(\Cake\Http\ServerRequest  $request, \Cake\Http\Response  $response, callable  $next) : \Cake\Http\Response

Checks and sets the CSRF token depending on the HTTP verb.

Parameters

\Cake\Http\ServerRequest $request

The request.
\Cake\Http\Response $response

The response.
callable $next

Callback to invoke the next middleware.

Returns

\Cake\Http\Response

A response

_validateAndUnsetTokenField()

_validateAndUnsetTokenField(\Cake\Http\ServerRequest  $request) : \Cake\Http\ServerRequest

Checks if the request is POST, PUT, DELETE or PATCH and validates the CSRF token

Parameters

\Cake\Http\ServerRequest $request

The request object.

Returns

\Cake\Http\ServerRequest

_createToken()

_createToken() : string

Create a new token to be used for CSRF protection

Returns

string

_addTokenToRequest()

_addTokenToRequest(string  $token, \Cake\Http\ServerRequest  $request) : \Cake\Http\ServerRequest

Add a CSRF token to the request parameters.

Parameters

string $token

The token to add.
\Cake\Http\ServerRequest $request

The request to augment

Returns

\Cake\Http\ServerRequest

Modified request

_addTokenCookie()

_addTokenCookie(string  $token, \Cake\Http\ServerRequest  $request, \Cake\Http\Response  $response) : \Cake\Http\Response

Add a CSRF token to the response cookies.

Parameters

string $token

The token to add.
\Cake\Http\ServerRequest $request

The request to validate against.
\Cake\Http\Response $response

The response.

Returns

\Cake\Http\Response

$response Modified response.

_validateToken()

_validateToken(\Cake\Http\ServerRequest  $request) : void

Validate the request data against the cookie token.

Parameters

\Cake\Http\ServerRequest $request

The request to validate against.

Throws

\Cake\Http\Exception\InvalidCsrfTokenException

When the CSRF token is invalid or missing.