CakePHP 3 CsrfProtectionMiddleware 是自动的吗?
Is CakePHP 3 CsrfProtectionMiddleware automatic?
我正在重写应用程序以使用 CakePHP 3.5 的大部分一般功能。然而,有一件事难倒了我。我按照描述设置了 CsrfProtectionMiddleware,并且可以在生成的表单中看到令牌。
但是,说明书没有描述 "checking" 发送请求数据的方法。它似乎只说明了如何设置:
$csrf = new CsrfProtectionMiddleware();
$middlewareQueue
// Catch any exceptions in the lower layers,
// and make an error page/response
->add(ErrorHandlerMiddleware::class)
// Handle plugin/theme assets like CakePHP normally does.
->add(AssetMiddleware::class)
// Add routing middleware.
->add(new RoutingMiddleware($this))
->add($cookies)
->add($csrf);
当收到请求时,CakePHP 3.5 是否会在启用 csrf 时自动执行检查?
是的,检查是自动执行的。引自 API 文档:
This middleware adds a CSRF token to a cookie. The cookie value is
compared to request data, or the X-CSRF-Token header on each PATCH,
POST, PUT, or DELETE request.
If the request data is missing or does not match the cookie data, an
InvalidCsrfTokenException will be raised.
https://api.cakephp.org/3.5/class-Cake.Http.Middleware.CsrfProtectionMiddleware.html
我正在重写应用程序以使用 CakePHP 3.5 的大部分一般功能。然而,有一件事难倒了我。我按照描述设置了 CsrfProtectionMiddleware,并且可以在生成的表单中看到令牌。
但是,说明书没有描述 "checking" 发送请求数据的方法。它似乎只说明了如何设置:
$csrf = new CsrfProtectionMiddleware();
$middlewareQueue
// Catch any exceptions in the lower layers,
// and make an error page/response
->add(ErrorHandlerMiddleware::class)
// Handle plugin/theme assets like CakePHP normally does.
->add(AssetMiddleware::class)
// Add routing middleware.
->add(new RoutingMiddleware($this))
->add($cookies)
->add($csrf);
当收到请求时,CakePHP 3.5 是否会在启用 csrf 时自动执行检查?
是的,检查是自动执行的。引自 API 文档:
This middleware adds a CSRF token to a cookie. The cookie value is compared to request data, or the X-CSRF-Token header on each PATCH, POST, PUT, or DELETE request.
If the request data is missing or does not match the cookie data, an InvalidCsrfTokenException will be raised.
https://api.cakephp.org/3.5/class-Cake.Http.Middleware.CsrfProtectionMiddleware.html