cebe
commented
6 years ago Possible options to fix it:
- set
$autoRegisterCsrf = falseby default and make the default config make it true - overwrite
$autoRegisterCsrfto false in all subclasses
Closed cebe closed 6 years ago
cebe
commented
6 years ago Possible options to fix it:
$autoRegisterCsrf = false by default and make the default config make it true$autoRegisterCsrf to false in all subclassescebe
commented
6 years ago Workaround: Add the following to the config:
'container' => [
'definitions' => [
'luya\cms\base\PhpBlockView' => [
'autoRegisterCsrf' => false,
],
],
],hm... setting autoRegisterCsrf to false globally seems to disable admin interface, so I needed to add the following to the admin module config:
'on beforeAction' => function() {
Yii::$app->view->autoRegisterCsrf = true;
},
nadar
commented
6 years ago Will check all your inputs asap.
cebe
commented
6 years ago no need to hurry with this one, I got a workaround :)
nadar
commented
6 years ago nadar
commented
6 years ago Should be fixed and your now able to disable the csrf auto registration as its intended to be:
'view' => [
'class' => 'luya\web\View',
'autoRegisterCsrf' => false,
],Thanks for reporting
What steps will reproduce the problem?
Add the following to the config:
What is the expected result?
No csrf cookie should be generated on pages that do not contain forms.
What do you get instead?
_csrfcookie is generated on each page request if it does not exist.Would be okay if there wasn't a law that requires to inform users when cookies are set :)
Why does this happen
luya\web\Viewis extended by some classes (e.g.luya\cms\base\PhpBlockView) that represent view contexts that do not represent the site-wide view context. Because$autoRegisterCsrf = true;by default these subclasses will enforce the CSRF cookie generation.Additional infos