Plupload And Yii - Csrf Token Not Verified

I’m trying to use Plupload widget (queue-ui version) with my Yii 1.1.12 application. Any attempt to upload files fails with error, that CSRF token is not verified and Plupload receives 400 Bad Request error. Plupload sends files via AJAX through POST.

What am I missing?

When I was doing some tests with FineUploader-based Yii extensions yesterday, there was absolutely no problems at all. Both client-side and server side was working perfectly and chunked file upload via AJAX worked like a charm.

BTW: I wrote my own widget for this purpose, because all Plupload widgets available in Yii extension repository are based on1.x branch of Plupload, while I want to use the newest 2.x branch. But, since widget is rendered without any problems and operates normally on client-side, I don’t think this is an issue in this case.

You need to add the CSRF token into the Plupload javascript options. You may be able to do so as follows (depending how you’re generating the javascript):

    multipart_params : {

        <?= CJavaScript::encode(Yii::app()->request->csrfTokenName, true); ?> :

                <?= CJavaScript::encode(Yii::app()->request->csrfToken, true); ?>


Info taken from here.

Thanks, Keith! I’ve just figured out this myself.

Here is piece of code, in case someone would need it done in "the widget" way:


 * Add CSRF token, if CSRF validation is enabled.




	$csrfTokenName = Yii::app()->request->csrfTokenName;

	$csrfToken = Yii::app()->request->csrfToken;

	$this->config['multipart_params'] = array($csrfTokenName=>$csrfToken);



 * Prepare and register jQuery script.


$jqueryScript = "$('#".$this->id."').pluploadQueue(".CJSON::encode($this->config).");";

Yii::app()->clientScript->registerScript('Yii.'.__CLASS__.'.'.$this->id, $jqueryScript, CClientScript::POS_END);

Thanks again!