I’m trying to debug an issue with the same Yii codebase on 2 different environments (dev and production).
My question is, if enableCsrfValidation is set to true for the request component in the config, is the CSRF token validation skipped if YII_DEBUG is true? Or does setting enableCsrfValidation to true always validate CSRF tokens on forms regardless if debug mode is enabled or not?
Thank you.
CSRF validation is enabled regardless of YII_DEBUG - unless you change your configuration based on YII_DEBUG.
enableCsrfValidation to true always validate, but you can set a scenario
http://www.yiiframework.com/wiki/266/understanding-scenarios/
A scenario will not help with disabling CSRF validation - validation is done in CHttpRequest and is controlled by enableCsrfValidation.
If you want to disable CSRF in debug mode (not really recommended, but you can), then you configure ‘enableCsrfValidation’ to ‘YII_DEBUG’.
You may have to set YII_DEBUG to false in your index.php file (Code: defined(‘YII_DEBUG’) or define(‘YII_DEBUG’,false); )
giving it another shot. okay here is what i did
<?php
// index.php file
// remove the following lines when in production mode
defined('YII_DEBUG') or define('YII_DEBUG',true);
// specify how many levels of call stack should be shown in each log message
defined('YII_TRACE_LEVEL') or define('YII_TRACE_LEVEL',3);
// change the following paths if necessary
$yii=dirname(__FILE__).'/../vendor/yii.php';
$config=dirname(__FILE__).'/protected/config/main.php';
require_once($yii);
Yii::createWebApplication($config)->run();
// config/main.php file
// application components
'components'=>array(
...
'request'=>array(
'enableCsrfValidation'=> YII_DEBUG ? false : true,
),
...
),
and seems to work
Ok , as you load Yii before loading the config that you provide as a path to the application, this will work.
However, some developers may need to set YII_DEBUG to false explicitally if they interpret the configuration before loading yii.