CakePHP:CMS 教程:获取 InvalidCsrfTokenException 尽管 csrf 保护甚至没有激活
CakePHP: CMS Tutorial: Getting InvalidCsrfTokenException although csrf protection it is not even activated
我在我的 Lubuntu 上安装了 CakePHP 4.0.6。使用本地 Apache 服务器。安装顺利我可以看到欢迎页面。
然后我开始 CMS 教程,在数据库中创建表,然后使用 bake 创建所有内容
./cake bake all --everything
这也很好用,我可以看到 /users/index 页面。
当然,接下来我尝试通过添加用户来使用 cms,显示了表单并且我填写了请求的信息但是在提交时我收到了这个错误:
缺少 CSRF 令牌正文
堆栈跟踪:
[Cake\Http\Exception\InvalidCsrfTokenException] Missing CSRF token body in /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php on line 254 Stack Trace: - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php:133 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:58 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Routing/Middleware/RoutingMiddleware.php:162 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Routing/Middleware/AssetMiddleware.php:68 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Error/Middleware/ErrorHandlerMiddleware.php:119 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/debug_kit/src/Middleware/DebugKitMiddleware.php:60 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:58 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Server.php:90 - /home/david/Software/cakePhpTest/webroot/index.php:40 Request URL: /users/add Referer URL: http://localhost:8765/users/add Client IP: 127.0.0.1
真正让我困惑的是,根据 CakePHP Documentation 跨站点请求伪造保护必须在 src/Application.php 中启用,这不是新安装的项目。我检查了。
那么未启用的东西怎么会导致错误。
为了查看启用它会发生什么,我从文档中复制了代码:
use Cake\Http\Middleware\CsrfProtectionMiddleware;
...
$options = [
// ...
];
$csrf = new CsrfProtectionMiddleware($options);
到src/Application.php。这会导致同样的错误。
在默认的应用程序框架中,CSRF 中间件正在路由范围内注册,您链接的文档的第二个示例中显示了类似的内容。
$routes->scope('/', function (RouteBuilder $builder) {
// Register scoped middleware for in scopes.
$builder->registerMiddleware('csrf', new CsrfProtectionMiddleware([
'httpOnly' => true,
]));
/*
* Apply a middleware to the current route scope.
* Requires middleware to be registered through `Application::routes()` with `registerMiddleware()`
*/
$builder->applyMiddleware('csrf');
// ...
});
https://github.com/cakephp/app/blob/4.0.3/config/routes.php#L49-L58
根据您的需要查看您的 config/routes.php 文件和 configure/remove 中间件。
如果您想要使用 CSRF 中间件,请确保删除域的 cookie,CSRF 令牌 cookie 已更改,目前与现有的不兼容CSRF 令牌 cookie,参见 https://github.com/cakephp/cakephp/issues/14471.
我在我的 Lubuntu 上安装了 CakePHP 4.0.6。使用本地 Apache 服务器。安装顺利我可以看到欢迎页面。
然后我开始 CMS 教程,在数据库中创建表,然后使用 bake 创建所有内容
./cake bake all --everything
这也很好用,我可以看到 /users/index 页面。
当然,接下来我尝试通过添加用户来使用 cms,显示了表单并且我填写了请求的信息但是在提交时我收到了这个错误: 缺少 CSRF 令牌正文
堆栈跟踪:
[Cake\Http\Exception\InvalidCsrfTokenException] Missing CSRF token body in /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php on line 254 Stack Trace: - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php:133 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:58 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Routing/Middleware/RoutingMiddleware.php:162 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Routing/Middleware/AssetMiddleware.php:68 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Error/Middleware/ErrorHandlerMiddleware.php:119 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/debug_kit/src/Middleware/DebugKitMiddleware.php:60 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:58 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Server.php:90 - /home/david/Software/cakePhpTest/webroot/index.php:40 Request URL: /users/add Referer URL: http://localhost:8765/users/add Client IP: 127.0.0.1
真正让我困惑的是,根据 CakePHP Documentation 跨站点请求伪造保护必须在 src/Application.php 中启用,这不是新安装的项目。我检查了。
那么未启用的东西怎么会导致错误。
为了查看启用它会发生什么,我从文档中复制了代码:
use Cake\Http\Middleware\CsrfProtectionMiddleware;
...
$options = [
// ...
];
$csrf = new CsrfProtectionMiddleware($options);
到src/Application.php。这会导致同样的错误。
在默认的应用程序框架中,CSRF 中间件正在路由范围内注册,您链接的文档的第二个示例中显示了类似的内容。
$routes->scope('/', function (RouteBuilder $builder) { // Register scoped middleware for in scopes. $builder->registerMiddleware('csrf', new CsrfProtectionMiddleware([ 'httpOnly' => true, ])); /* * Apply a middleware to the current route scope. * Requires middleware to be registered through `Application::routes()` with `registerMiddleware()` */ $builder->applyMiddleware('csrf'); // ... });
https://github.com/cakephp/app/blob/4.0.3/config/routes.php#L49-L58
根据您的需要查看您的 config/routes.php 文件和 configure/remove 中间件。
如果您想要使用 CSRF 中间件,请确保删除域的 cookie,CSRF 令牌 cookie 已更改,目前与现有的不兼容CSRF 令牌 cookie,参见 https://github.com/cakephp/cakephp/issues/14471.