我认为Yii正在对CSRF进行验证,尝试扩展CHttpRequest基类并根据会话进行验证。这会导致会话持续时间与CSRF有效性相反。
class HttpRequest extends CHttpRequest
{
public function getCsrfToken()
{
if ($this->_csrfToken === null) {
$session = Yii::app()->session;
$csrfToken = $session->itemAt($this->csrfTokenName);
if ($csrfToken === null) {
$csrfToken = sha1(uniqid(mt_rand(), true));
$session->add($this->csrfTokenName, $csrfToken);
}
$this->_csrfToken = $csrfToken;
}
return $this->_csrfToken;
}
public function validateCsrfToken($event)
{
if ($this->getIsPostRequest()) {
// only validate POST requests
$session = Yii::app()->session;
$headers = Common::getAllHeaders();
if ($session->contains($this->csrfTokenName) && (isset($_POST[$this->csrfTokenName]) || isset($headers['X-Csrf-Token']))) {
$tokenFromSession = $session->itemAt($this->csrfTokenName);
$tokenFromPost = isset($_POST[$this->csrfTokenName]) ? $_POST[$this->csrfTokenName] : $headers['X-Csrf-Token'];
$valid = $tokenFromSession === $tokenFromPost;
} else {
$valid = false;
}
if (!$valid) {
header("Location: " . Yii::app()->createAbsoluteUrl(Yii::app()->request->url));
}
}
}
}
而且使用它作为您的配置文件:
'request' => array(
'enableCsrfValidation' => true,
'class' => 'HttpRequest',
'csrfCookie' => array(
'httpOnly' => true,
'secure' => true
),
注:DONOT复制和粘贴的所有内容。根据您的需要修改。这只是一个开始。希望我明白你的问题。
来源
2015-04-01 04:46:15
TNC
您是否为每个请求生成CSRF令牌? – TNC 2015-04-01 03:52:44