Csrf Protection


(M7d Mh) #1

hi

i already add


enableCsrfValidation'=>true,

in main config file, but all my post method in jquery call won’t work, and i can’t get the value !!!

what is the problem/ solution ??

warm regards


(Angel De La Noche) #2

Make sure you are sending csrf token (either as hidden field or by supplying additional data to ajax request).

Otherwise you’ll get 403.


(M7d Mh) #3

thanks for your quick respond

but why in regular getting post value i am getting values, but only problem with ajax post


(Abennouna) #4

If you check the generated HTML output in a standard CActiveForm, you’ll notice that there’s a hidden field containing a hidden CSRF token. In regular posts, all the form data are sent, but in Ajax requests, it depends on what you send.


(M7d Mh) #5

In my main function i enabled the


enableCsrfValidation'=>true,

. How can i check that csrf validation is working or not??

In the case of Ajax post i am sending the csrf token then also am not able get the value in my Ajax calling function.


(Abennouna) #6

Please post the relevant parts of your view and controller


(M7d Mh) #7

thanks to all,

i implement it , and i overwrite 2 function for comparing in component


(Mwerlberger85) #8

Good to hear that it works for you but it would be nice if you can share your solution here so it may help others in the future with similar problem.


(M7d Mh) #9

sorry for delay , i was in vacation :)

fist i create one class and extent it to CHttpRequest


class HttpRequest extends CHttpRequest{


private $_csrfToken;

 

	public function getCsrfToken()

	{

		if($this->_csrfToken===null)

		{

			$session = Yii::app()->session;

			$csrfToken=$session->itemAt($this->csrfTokenName);

			if($csrfToken===null)

			{

				$csrfToken = sha1(uniqid(mt_rand(),true));

				$session->add($this->csrfTokenName, $csrfToken);

			}

			$this->_csrfToken = $csrfToken;

		}

	 

		return $this->_csrfToken;

	}


	public function validateCsrfToken($event)

	{

		if($this->getIsPostRequest())

		{

			// only validate POST requests

			$session=Yii::app()->session;

			if($session->contains($this->csrfTokenName) && isset($_POST[$this->csrfTokenName]))

			{

				$tokenFromSession=$session->itemAt($this->csrfTokenName);

				$tokenFromPost=$_POST[$this->csrfTokenName];

				$valid=$tokenFromSession===$tokenFromPost;

			}

			else

				$valid=false;

			if(!$valid)

				throw new CHttpException(400,Yii::t('yii','The CSRF token could not be verified.'));

		}

	}

}

and save this file as HttpRequest.php in component folder,

then in config/main do this:




'components'=>array(

.....


'request'=>array(

			'class'=>'application.components.HttpRequest',

            'enableCookieValidation'=>true,

			'enableCsrfValidation'=>true,



and for ajax request i just post the token value and by default Yii validate it,

if you are using Get method you should manually validate it.

an another benefit of this class is using validation with session,

i follow this article:

http://www.yiiframework.com/wiki/274/how-to-validate-csrf-token-with-session/


(Fire) #10

When you said “and for ajax request i just post the token value and by default Yii validate it,”
What was the key/value you posted?