CakePHP：CMS 教程：获取 InvalidCsrfTokenException 尽管 csrf 保护它甚至没有被激活

Question

我在 Lubuntu 上安装了 CakePHP 4.0.6。使用本地 Apache 服务器。安装顺利，我可以看到欢迎页面。

然后我开始 CMS 教程，在数据库中创建表，然后使用 bake 创建所有内容 ./cake bake all --everything 这也很好，我可以看到/users/index 页面。

当然，接下来我尝试通过添加用户来使用 cms，显示表单并填写了请求的信息，但在提交时出现此错误： 缺少 CSRF 令牌正文

堆栈跟踪：

[Cake\Http\Exception\InvalidCsrfTokenException] /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php 在第 254 行堆栈跟踪：-/home /david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php:133 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:58 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Routing/Middleware/RoutingMiddleware.php： 162 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Routing/Middleware/AssetMiddleware。 php:68 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Error/Middleware/ ErrorHandlerMiddleware.php:119 - /home/david/Software/cakePhpTest/v endor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/debug_kit/src/Middleware/DebugKitMiddleware.php:60 - /home/david/Software/cakePhpTest/供应商/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:58 - /home/david/Software/cakePhpTest/ vendor/cakephp/cakephp/src/Http/Server.php:90 - /home/david/Software/cakePhpTest/webroot/index.php:40 请求 URL：/users/add 引用 URL：http://localhost:8765/users/add 客户端 IP：127.0。 0.1

真正让我困惑的是，根据CakePHP Documentation 跨站点请求伪造保护必须在src/Application.php 中启用，这不在新安装的项目中。我查过了。

那么没有启用的东西怎么会导致错误。

要查看如果启用它会发生什么，我从文档中复制了代码：

use Cake\Http\Middleware\CsrfProtectionMiddleware;

...

$options = [
// ...
];
$csrf = new CsrfProtectionMiddleware($options);

到src/Application.php。这会导致同样的错误。

Answer 1

在默认应用程序框架中，CSRF 中间件在路由范围内注册，您链接的文档的第二个示例中显示了类似的内容。

$routes->scope('/', function (RouteBuilder $builder) {
    // Register scoped middleware for in scopes.
    $builder->registerMiddleware('csrf', new CsrfProtectionMiddleware([
         'httpOnly' => true,
     ]));

     /*
      * Apply a middleware to the current route scope.
      * Requires middleware to be registered through `Application::routes()` with `registerMiddleware()`
      */
     $builder->applyMiddleware('csrf');

     // ...
});

https://github.com/cakephp/app/blob/4.0.3/config/routes.php#L49-L58

查看您的config/routes.php 文件并根据您的需要配置/删除中间件。

如果您想要使用 CSRF 中间件，请确保删除您的域 cookie，CSRF 令牌 cookie 已更改，当前与现有 CSRF 令牌 cookie 不兼容，请参阅https://github.com/cakephp/cakephp/issues/14471。