what is the purpose of _csrf

Hi, I’m just curious about the _csrf in yii2 basic,what is the purpose of this _csrf ?..what does really do to our application ?..can you please enlighten my mind.

Thank you in advance.

Have a read of this: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) :)

I could not get the idea :unsure:

A simple way to explain it is… if YOU were logged into a site in YOUR browser and they had a form on that site that allowed you to send money to someone else and this form DIDN’T have CSRF protection then a malicious user could simply for example send you to a site that when you visit it it will make a call via JavaScript for example to the site that you are already logged into and spoof you sending money to THEM. All they do is pass the script all the required details (for example from_username, to_username, $$$ amount) and the script will process it because the request is coming from YOUR browser and YOU are currently logged into the site.

If the form has CSRF protection then the malicious site would also have to pass a VALID CSRF token to match the session/cookie token that exists on your system; so they could go ahead an pass a CSRF token, but since you wouldn’t have it stored on your system then their (your) request would fail as the token they passed with the form values didn’t match any on your system.