How to define CSRF token in ajax call in Cakephp 3. Also How CSRF can be off for some ajax requests

ajax cakephp csrf cakephp-3.x
10,125

Solution 1

The CSRF component writes the current token to the request parameters as _csrfToken, you can get it via the request object's param() method (or getParam() as of CakePHP 3.4):

beforeSend: function(xhr){
    xhr.setRequestHeader(
        'X-CSRF-Token',
        <?= json_encode($this->request->param('_csrfToken')); ?>
    );
},

To make the token available to all your scripts, you can for example make it globally available as variable in your layout template:

<script>
var csrfToken = <?= json_encode($this->request->param('_csrfToken')) ?>;
// ...
<script>

You can then easily use it in all your AJAX requests:

setRequestHeader('X-CSRF-Token', csrfToken);

The CSRF component can be disabled by removing it from the controllers event manager. You'll have to figure on what condition you'd need to do that, for example for a specific action, like this:

public function beforeFilter(\Cake\Event\Event $event)
{
    parent::beforeFilter($event);

    if ($this->request->param('action') === 'actionXyz') {
        $this->eventManager()->off($this->Csrf);
    }
}

If you're using the CSRF middleware, then the token is still available as a request parameter named _csrfToken, disabling the middleware however works differently, see for example Cakephp 3.5.6 disable CSRF Middleware for controller

See also

Solution 2

Every form has a hidden _csrfToken field that's automatically added when you have enabled the Csrf component. Now you can easily get the token of this field by jquery like $('[name="_csrfToken"]').val().

A ajax call will look like this: 

$.ajax({
   url: 'someUrl',
   headers : {
      'X-CSRF-Token': $('[name="_csrfToken"]').val()
   },
   type: 'post',
   ...
});
Share:
10,125
ParminderBrar
Author by

ParminderBrar

Updated on June 11, 2022

Comments

  • ParminderBrar
    ParminderBrar almost 2 years

    In Cakephp3 when the Csrf component is enabled. How I can use it in ajax call. In this beforeSend parameter of ajax csrf token is set in header. What is the value of csrfToken. As it gives error

    csrfToken is not defined

    beforeSend: function(xhr){
    xhr.setRequestHeader('X-CSRF-Token', csrfToken);
},

    Also how can I disable Csrf component for some ajax calls.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

best practice to use action url while calling ajax in cakePHP
Simple AJAX / JSON response with CakePHP
Laravel 5.5 : 419 unknown status with AJAX
How to check Cakephp version from command line?
How to use ajax to update mysql db when checkbox condition is changed?
CakePHP AJAX call
protecting against CSRF on ajax requests and forms without submit buttons
How to Create a URL in Controller like HtmlHelper
CakePHP - How to return string (like JSON) from controller action to Ajax request
sending data via ajax in Cakephp