1

One more issue I am facing my site is created in yii2 and CSRF is enabled but when I copy full form including csrf token and create new html file outside server and submit form from outside of server it accepting my form.

What is the expected result?

it should give permission issue

What do you get instead?

it successfully accepting form not sure either I am missing any configuration or what

Yii version 2.0.6

PHP version 5.5.38

Operating system CentOS release 6.9 (Final)

Chux
  • 1,196
  • 1
  • 9
  • 24
Anil Kumar
  • 701
  • 11
  • 28

2 Answers2

2

CSRF protection is based on the fact, that third party website should not know CSRF token of your user. If you expose CSRF token, then the whole protection will not work. This is by design.

If you want to block requests from untrusted domains, you should probably use CORS.

rob006
  • 21,383
  • 5
  • 53
  • 74
1

That's happening because, as you said, you are using CRSF. If you want to accept data from another domain, you'll need to disable CRSF at least for that particular request. Either this way:

class MyController extends Controller
{
    public $enableCsrfValidation = false;

or this way:

class MyController extends Controller
{
    public function beforeAction($action)
    {
        if (in_array($action->id, ['incoming'])) {
            $this->enableCsrfValidation = false;
        }
        return parent::beforeAction($action);
    }

From the cookbook: https://yii2-cookbook.readthedocs.io/csrf/

And also, from the official docs: https://www.yiiframework.com/doc/api/2.0/yii-web-controller#$enableCsrfValidation-detail

Chux
  • 1,196
  • 1
  • 9
  • 24
  • i dont know why this answer got downvoted as Yii1 Cookbook does provide the disabling of `CSRF` protection or adding `CORS` filter when dealing with third party form posts for the **specific** action. [**`SEE HERE`**](https://yii2-cookbook.readthedocs.io/incoming-post/), the downvoter should be reasonable enough to leave a comment so that either he or the guy downvoted could correct himself. i would give `+1` for this post. – Muhammad Omer Aslam May 15 '18 at 13:18
  • @MuhammadOmerAslam OP asked how to make CSRF protection working in given scenario. This answer shows how to disable CSRF protection. It clearly does not answer the question. – rob006 May 16 '18 at 14:34
  • @rob006 and disabling CSRF for the specific action the thirdparty is submitting the form to ,is one of the options provided , if you check the link i posted, you can do both the CORS would be better to handle but it does not invalidate the other option. – Muhammad Omer Aslam May 16 '18 at 14:38
  • @MuhammadOmerAslam I'm not sure how to disabling CSRF protection could make it working (and this is the question of OP: why CSRF protection not working?). If I have broken car and I ask how to fix it, I don't want to answer with instruction how to break my car again. – rob006 May 16 '18 at 14:44
  • @rob006 you can call from a third party website to a Yii action using CRSF protection. It's as simple as that. – Chux May 16 '18 at 14:46
  • @Chux OP want to **block** requests from third party websites. Disabling CSRF validation will definitely not help with it. – rob006 May 16 '18 at 14:49
  • 1
    @rob006 yeah you are right the actual question is about why isn't it working, whereas it should be blocking and disabling wont make it working, you are right, i would take back the upvote, sorry chux but it doesnot provide the actual answer. and i would have to wait untill you edit – Muhammad Omer Aslam May 16 '18 at 15:00
  • @rob006 there's nothing I have to update, as it is impossible to have CRSF protection and call from a third party website. You just can't do both at the same time – Chux May 16 '18 at 15:49