First, if you do not understand what is the CSRF token? and why should we use it, please refer to the following link :
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
One of the new features of Yii2 is CSRF validation enabled by default.
If you use ajax or basic form as follows :
<form action='#' method='POST'>
...........
</form>
You will get an error exception :
Bad Request (#400): Unable to verify your data submission
That is because you do not submit csrf token. The easiest way if you dont care about csrf just disable it in main config :
'components' => [
'request' => [
....
'enableCsrfValidation'=>false,
],
.....
],
Or in Controller :
public function beforeAction($action) {
$this->enableCsrfValidation = false;
return parent::beforeAction($action);
}
So how to use Csrf Validation for your strong security website:
* With basic form:
- Create form with yii\widgets\ActiveForm or yii\bootstrap\ActiveForm
ActiveForm will automatically add a token in the form
Can use like this
<?php $form = ActiveForm::begin(['id' => 'login-form']); ?>
<?= $form->field($model, 'username') ?>
<?= $form->field($model, 'password')->passwordInput() ?>
....
<?php ActiveForm::end(); ?>
Or
<?php $form = ActiveForm::begin(['id' => 'login-form']); ?>
<input type='text' name='name'/>
.........
<?php ActiveForm::end(); ?>
* With manual form:
you must manually add CSRF token in the form
<form action='#' method='POST'>
<input type="hidden" name="_csrf" value="<?=Yii::$app->request->getCsrfToken()?>" />
....
</form>
* With Ajax
- In main layout add csrfMetaTags :
<head>
.......
<?= Html::csrfMetaTags() ?>
</head>
- And in javascript ajax code add csrf param like this:
var csrfToken = $('meta[name="csrf-token"]').attr("content");
$.ajax({
url: 'request',
type: 'post',
dataType: 'json',
data: {param1: param1, _csrf : csrfToken},
});
