Yii 2.0 CSRF validation for AJAX request

Question

I have an ajax function that triggers an entry deletion from my database.

I need to do CSRF validation for the same. How can I do that?

I am sending the CSRF cookie along with my post request, but Yii 2.0 is not validating it and any input that is passed through ajax is reaching the server.

How do I do CSRF validation for ajax requests.

Whether we need to manually set cookie and check?

Answer 1

Please let me add some optional answer i found at this page,

    <head>
       .......
       <?= Html::csrfMetaTags() ?>
    </head>
    .......
<script>
    var csrfToken = $('meta[name="csrf-token"]').attr("content");
    $.ajax({
             url: 'request',
             type: 'post',
             dataType: 'json',
             data: {param1: param1, _csrf : csrfToken},
    });
</script>

Answer 2

Finally I identified that just including

    <?= Html::csrfMetaTags() ?>

in mail layout will automatically add csrf validation to every post / get requests whether it is ajax or not.We dont need to manually send csrf token along with aja

    <?= Html::csrfMetaTags() ?>

the request is failing and throwing the exception..So it was my mistake..Just adding <?= Html::csrfMetaTags() ?>

will do csrf validation whether it is ajax or non ajax request / form submission..

Hats off to Yii 2.0 inventors for such an awesome stuff #love-yii-2.0

Answer 3

You don't need to manually set cookie.

If you are using jQuery CSRF token will be sent automatically.

For example for AngularJS you can add it manually to request params like that:

yii.getCsrfParam(): yii.getCsrfToken()

Make sure you have YiiAsset included.

Otherwise you can retrieve them from meta tags (that's basically what these two methods do):

$('meta[name=csrf-param]').prop('content'): $('meta[name=csrf-token]').prop('content')

Also note that for enabling CSRF validation both Controller's and Request's property enableCsrfValidation property must be set to true.

Update:

Another important thing to understand:

CSRF token will be validated only on this methods: GET, HEAD, OPTIONS.

Also make sure you have <?= Html::csrfMetaTags ?> in main layout.