Catch "Missing or incorrect CSRF cookie type." exception

Question

I know why this exception is thrown, this is not the problem, but I am not capable to catch this exception.

This exception is thrown in CORE/src/Http/Middleware/CsrfProtectionMiddleware.php line #286:

if (!$cookie || !is_string($cookie)) {
   throw new InvalidCsrfTokenException(__d('cake', 'Missing or incorrect CSRF cookie type.'));
}

When I check the long list of the stack in the CakePHP error window it's clear to me I cannot start to modify the CORE files as with the next CakePHP update/upgrade my modifications are lost.

The only script I can modify and should be easily handled is webroot/index.php. It's also mentioned in the call stack in the first position:

Cake\Http\Server->run ROOT/webroot/index.php:50

And here I am stuck. What ever I tried:

• try/catch ( \Exception )
• try/catch ( \Cake\Http\Exception\InvalidCsrfTokenException )
• Using set_exception_handler()

nothing helps, this means, I always get the below error window. In this window you can see on the left the long call stack of scripts which are called until the exception is thrown. And this are even not all scripts. So it's really nested.

My question:

How can I catch this exception in the most top PHP script webroot/index.php - below this script are another 16 scripts called until the exception is thrown. I don't want to modify the CakePHP core files.

I am running CakePHP 4.1.4

Answer 1

You cannot catch that exception in index.php, as it is already being catched by the error handler middleware, which presents you that nice error screen, which however you'd only see in debug mode, in case that is your concern.

Your first chance to catch that exception would be a custom middleware, which you'd have to place between the error handler middleware and the CSRF protection middleware, something along the lines of this:

// in src/Application.php

public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
{
    $middlewareQueue
        ->add(new ErrorHandlerMiddleware(Configure::read('Error')))

        // ...

        ->add(function (
            \Psr\Http\Message\ServerRequestInterface $request,
            \Psr\Http\Server\RequestHandlerInterface $handler
        ) {
            try {
                // continue with the next middleware
                return $handler->handle($request);
            } catch (\Cake\Http\Exception\InvalidCsrfTokenException $exception) {
                // handle the catched exception
                $response = new \Cake\Http\Response();

                return $response->withStringBody('Oh noes, CSRF error!');
            }
        })

        // ...
        
        ->add(new CsrfProtectionMiddleware([
            'httponly' => true,
        ]));

    return $middlewareQueue;
}