CakePHP 3.6.10 disable completely CSRF token check

Question

I need to completely disable the control of the CSRF token for my application. I tried to use:

    public function beforeFilter(Event $event)
    {
      $this->getEventManager()->off($this->Csrf);
    }

In AppController but it does not seem to work. Manual link: Disabling the CSRF Component for Specific Actions

I did a lot of tests, read many posts but I could not solve.

Ty.

@omerowitz This is my AppController before filter action:

    public function beforeFilter(Event $event)
{
    $this->getEventManager()->off($this->Security);
    if($this->request->is('post')) {
        $this->getEventManager()->off($this->Csrf);
    }
    $this->Auth->allow(['index', 'view', 'display']);
}

but it still does not work, I still have the error 'CSRF token mismatch.' when I effect a request with postman

SOLUTION:

I have remove this :

->add(new CsrfProtectionMiddleware([
     'httpOnly' => true
  ]));

From Application.php. Why this is not indicated in the manual?

Ty all!

Answer 1

I'm using whitelistCallback for special prefix or action array

// in src/Application.php
use Cake\Http\Middleware\CsrfProtectionMiddleware;

public function middleware($middlewareQueue) {
    $csrf = new CsrfProtectionMiddleware();

    // Token check will be skipped when callback returns `true`.
    $csrf->whitelistCallback(function ($request) {
        // Skip token check for API URLs.
        if ($request->getParam('prefix') === 'api') {
            return true;
        }
    });

    // Ensure routing middleware is added to the queue before CSRF protection middleware.
    $middlewareQueue->add($csrf);

    return $middlewareQueue;
}

Answer 2

In CakePHP 3.6.10:

1. go to src/Application.php
2. Search function middleware

3. Comment the below line:

   ->add(new CsrfProtectionMiddleware([ 'httpOnly' => true ]));

This would completely disable CSRF token check.

Answer 3

//Src/Application.php

public function middleware($middlewareQueue)
{
    $middlewareQueue
        // Catch any exceptions in the lower layers,
        // and make an error page/response
        ->add(ErrorHandlerMiddleware::class)

        // Handle plugin/theme assets like CakePHP normally does.
        ->add(new AssetMiddleware([
            'cacheTime' => Configure::read('Asset.cacheTime')
        ]))

        // Add routing middleware.
        // Routes collection cache enabled by default, to disable route caching
        // pass null as cacheConfig, example: `new RoutingMiddleware($this)`
        // you might want to disable this cache in case your routing is extremely simple
        ->add(new RoutingMiddleware($this, '_cake_routes_'));

        // Add csrf middleware.
        //Comment following Code.
       /* ->add(new CsrfProtectionMiddleware([
            'httpOnly' => true
        ]));*/

    return $middlewareQueue;
}

//Your perticular controller in my case //UsersController :

public function beforeFilter(Event $event)
{
    parent::beforeFilter($event);
    $this->viewBuilder()->layout('admin');
    $this->getEventManager()->off($this->Security);        
}

// for initialize method

public function initialize()
{
    parent::initialize();
    $this->loadComponent('RequestHandler');
    $this->loadComponent('Security');
}

Try this It's working...

Answer 4

I think in Cake 3.6 You should remove CsrfProtectionMiddleware from middleware queue: src/Application.php

Answer 5

You can try this

 public function beforeFilter(Event $event)
{
  $this->getEventManager()->makeMess($this->Csrf);
}

It's working for me!

You also try with Python Language or Symfony 2.8.

Answer 6

You also need to disable Security component. I use this for my API controllers:

$this->getEventManager()->off($this->Security);

if($this->request->is('post')) {
    $this->getEventManager()->off($this->Csrf);
}

I disable it only for POST requests, although disabling both Security and Csrf will work as well.

---

Edit: I put it in my AppController, although it will work per-controller.

Security component seems to enable CSRF and Form Tampering.

https://book.cakephp.org/3.0/en/controllers/components/security.html