In Cakephp3 when the Csrf component is enabled. How I can use it in ajax call.
In this beforeSend
parameter of ajax csrf token is set in header. What is the value of csrfToken
. As it gives error
csrfToken is not defined
beforeSend: function(xhr){
xhr.setRequestHeader('X-CSRF-Token', csrfToken);
},
Also how can I disable Csrf component for some ajax calls.
The CSRF component writes the current token to the request parameters as _csrfToken
, you can get it via the request object's param()
method (or getParam()
as of CakePHP 3.4):
beforeSend: function(xhr){
xhr.setRequestHeader(
'X-CSRF-Token',
<?= json_encode($this->request->param('_csrfToken')); ?>
);
},
To make the token available to all your scripts, you can for example make it globally available as variable in your layout template:
<script>
var csrfToken = <?= json_encode($this->request->param('_csrfToken')) ?>;
// ...
<script>
You can then easily use it in all your AJAX requests:
setRequestHeader('X-CSRF-Token', csrfToken);
The CSRF component can be disabled by removing it from the controllers event manager. You'll have to figure on what condition you'd need to do that, for example for a specific action, like this:
public function beforeFilter(\Cake\Event\Event $event)
{
parent::beforeFilter($event);
if ($this->request->param('action') === 'actionXyz') {
$this->eventManager()->off($this->Csrf);
}
}
If you're using the CSRF middleware, then the token is still available as a request parameter named _csrfToken
, disabling the middleware however works differently, see for example Cakephp 3.5.6 disable CSRF Middleware for controller
See also
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With