Csrf token

Question

Csrf token

Closed this issue 10 years ago · 7 comments

It's pretty often situation when you're editing something in Backend, then you go to Frontend, refresh pages few times bla bla bla..., go back to Backend and then you're trying to submit already filled up form and BAM you got a validation error cuz of csrf cookies have been replaced then you have used your Frontend part.
It is not a bug of course, everything is works as intended, but can we do something about that?
Looks like we should use either basic or advanced app and don't mix them up.
Thanks.

Answer 1 · 2014-10-23T07:28:33.000Z

This depends on each application and developer's use case.

Please read this web tip/ wiki and confirm if it answers your query on how you can handle frontend and backend sessions on the same client.

Answer 2 · 2014-10-23T12:54:41.000Z

So i've added identity options for frontend and backend apps, but it didn't help at all. Nothing has changed. Still Backend app sets its csrf and Frontend app sets its csrf.

Answer 3 · 2014-10-23T15:12:46.000Z

Yes its as intended. The wiki link I shared was for you to have different identity cookie settings for backend and frontend.

For your requirement, you may want to pose this question on the yii project page or forums - on how it can be set or tweaked in the configuration?

Answer 4 · 2014-10-23T19:07:51.000Z

CSRF cookies are separate from intentity cookies and should be renamed per application separately.

Answer 5 · 2014-10-24T06:08:21.000Z

Should we set it by default, Kartik?

    'components' => [
...
        'request' => [
            'csrfParam' => '_backend_csrf',
        ],
...

in
\backend\config\main.php

Works like a charm.

Answer 6 · 2014-10-24T06:28:03.000Z

Will note this as an enhancement.

Answer 7 · 2014-10-25T10:35:06.000Z

Resolved via upgrade to release v1.4.0.