CODEWITHSUNDEEP
phpcookiesyii2
Chloe
Chloe

Reputation: 26274

How do I get the CSRF token in Yii without setting the _csrf cookie?

How do I get the CSRF token in Yii without setting the _csrf token? I tried many things, but nothing works. Each time I try to access the CSRF token, it sets a cookie.

  <?//= Html::csrfMetaTags() // sets _csrf cookie. prevents Fastly CDN caching. ?>
  <?php 
    $this->registerMetaTag(['name' => 'csrf-param', 'content' => '_csrf']);
    $this->registerMetaTag(['name' => 'csrf-token', 'content' => 'xxx']);
    Yii::$app->request->csrfToken;
  ?>

Yields

$ curl -I http://localhost:81/xxx/web/shopping/search?q=toaster
...
Set-Cookie: _csrf=0fe1db8822f87506dd00feefb32438ffee24116b4ec717287e23422d81feb32ea%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22DkE4S5EYilTEkubAr-dWda5CV0y5XCEp%22%3B%7D; path=/; httponly

It doesn't set the cookie when I comment out Yii::$app->request->csrfToken;. I've also tried unsetting the cookie immediately afterward, but it sends Set-Cookie: _csrf=delete; expires=Thu, 01-Jan-1970 00:00:01 GMT; to the browser then. I also tried setting $enableCsrfCookie to false, but then it sets PHPSESSID cookie.

I need the CSRF meta tags for the logout link, which uses POST and Javascript to submit. The forms work OK as they insert the CSRF into the <form> tags.

Upvotes: 1

Views: 1824

Answers (1)

Chloe
Chloe

Reputation: 26274

I discovered that there is a second parameter to remove() which prevents sending to the browser, so I can get the token, then immediately delete the cookie.

Yii::$app->response->cookies->remove('_csrf', false);

Upvotes: 1

Related Questions