CSRF questions

I’ve been reading about CSRF within Yii 2 and I read that it can be turned on or off. If I am seeing hidden fields and meta tags with the CSRF tokens does that mean that it’s on? I thought it was off by default?

Also, does Yii handle the CSRF checks automatically or do you have to manually check the POST’ed token matches the one in the cookie?


It is ON by default. If you’re using forms everything is automatic, if it’s AJAX you have to pass the token but the check is, again, automatic.

Hi Sam - thanks.

Ok, so if I have a form that is going to be using Ajax do I just pass the token with a parameter name of "_csrf"?


Token name is configurable via http://www.yiiframework.com/doc-2.0/yii-web-request.html#$csrfParam-detail but generally yes.