I was working on assets as CSRF validation stopped working.
Error 400 "Unable to verify your data submission" occurs on POST submissions.
Maybe , It’s happening after I removed assets from @web/assets directory.
The same issue happened for my Virtual Machine’s copy of the project, recently and I couldn’t find a solution but disabling CSRF validation. However, It’s not a good idea.
The layout header contains <?= Html::csrfMetaTags() ?> and also post submission parameters includes _csrf.
I cleared browser cache, cookies and flushed application cache using "yii cache/flush-all" command either.
Yii::$app->getRequest()->validateCsrfToken() returns FALSE in yii\web\controller::beforeAction() method, if you mind.
When you delete everything except the .gitignore file inside the assets folder,
are the assets re-created next time you visit your page?
Yes they do.
If no: check permissions for the assets folder.
I’m working on Windows 7 and XAMPP, so permissions are not very tricky.
You are working on? Windows or Linux/Unix?
I’m working on Windows 7 for development. However, I have a production copy of the project on a virtual box which is CentOS 7. Although the clone on CentOS was the one which got sick by CSRF let concentrate on Windows 7 for simplicity.
Yii2 Advanced or Basic Template?
Yii2 Advanced
Framework Version? 2.0.6?
Yes 2.0.6
You receive the "Error 400" on ALL post submissions at the entire project-site?
Or only in specific forms / controllers?
[b]I receive the error only in one form in one controller just in Backend. Ajax post submissions to this controller still works. However, They doesn’t include “_CSRF” parameter. I have not changed anything on that controller or form, recently.
I’m not sure if it is not epidemic.[/b]
Install a FRESH application template and check if CSRF is working there.
I did it and CSRF works. It was working for last three months on my main application.
If yes: Re-Install the vendor directory.
If it works, it will ignore the problem without getting any solution and it’s risky for production modes if don’t know the origin of the disease. I met a few people with the same problem and no solution out there when I was googling about it.
If the problem persists after above:
There must be something fishy somewhere in your code or configuration.
It’s likely the configuration is guilty but I don’t know how.
If you make use of git:
Compare the last working commit/version with your broken one to identify all recent changes.
I use git. The problem sticks to the project when I back in history so I couldn’t recognize the break point.
I don’t know how CSRF exactly works. It might be I should study on it to solve the problem but it would be great if someone told me what common causes make CSRF validation to fail?
It’s an ActiveForm and POST parameters includes _csrf.
I noticed CSRF token which is posted in submission is different from what is generated in header of the page. It’s normal , isn’t it?
I’ve not touched this part of my project for so long and it worked. I was working on assets, URLs, configs and environment directory to separate dev and prod configs when csrf attacked me!
When I back to sunny days using GIT, the problem sticks to the project and It’s weird. Perhaps it tells the problem is somewhere in GIT IGNORED places.
Csrf token should be the same in meta and in hidden input form field.
Could you paste here the generated source of the page with the form (at least the interesting parts like header and form itself) and then the view file with the form?
I asked because it’s not usual to see url with ‘backend’ or ‘frontend’ + ‘web’ since the standard way is to point domain to that folder so it will be hidden in url.
I’m afraid we’ve got not enough information to help you. It probably requires to take a look at your code in general.
You have told us the result and a sketch of the setup, but it would be interesting to learn what you are doing in your code.
Normally, Yii does all the work behind the scenes, and the most common source of error is people who are complicating things by interfering with what Yii does…
It didn’t work. However, it worked for so long without id and I created more than 100 polls without any problem. I’m curious about form id now. How does it affect on _csrf validation ?
I think it’s so hard to find a solution without accessing to entire project. By the way, thank you very much for helping me.
I had this problem.first action open your page in another browser.if it is ok that means your csrf is cached.then open your page in Chrome and install EditThisCookie Extension.click on extension and check is your _csrf cookie is duplicated if it’s happen then remove all duplicated _csrf cookies.in your post params add cache: false.
Hi, I got the same error. And in my case I found out that the problem was in POST Content-Length. I increased “post_max_size” and “upload_max_filesize” values in php.ini file and everything works fine now. To figure it out I stoped my script with XDebug at this line in Controller.php file
if ($this->enableCsrfValidation && Yii::$app->getErrorHandler()->exception === null && !$this->request->validateCsrfToken()) {
and then got PHP POST Content-Length warning. Don’t know why $resuest object doesn’t containt csrf tokens if you trying to upload too large files (this is some difficulties between yii2 and php interpreterer, I suppose) and also yii2 doesn’t display any information about it and just return “403 bad request error” just like you didn’t have csrf tokens at all.
I noticed the image field in your form, and thought that you maybe trying to upload too large files.
I used PHP version - 8.0.1, and Yii2 version - 2.0.40.