CakePHP: CMS Tutorial: Getting InvalidCsrfTokenException although csrf protection it is not even activated

0
votes

I set up CakePHP 4.0.6 on my Lubuntu. Using a local Apache Server. Installation went fine I can see the welcome page.

Then I startet the CMS Tutorial, created the tables in the database and then created everything with bake ./cake bake all --everything This worked fine as well and I could see the /users/index page.

Next of course I tried to play with the cms by adding an user, the form was shown and i filled in the requested information but upon submitting i got this error: Missing CSRF token body

Stacktrace:

[Cake\Http\Exception\InvalidCsrfTokenException] Missing CSRF token body in /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php on line 254 Stack Trace: - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php:133 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:58 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Routing/Middleware/RoutingMiddleware.php:162 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Routing/Middleware/AssetMiddleware.php:68 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Error/Middleware/ErrorHandlerMiddleware.php:119 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/debug_kit/src/Middleware/DebugKitMiddleware.php:60 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:58 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Server.php:90 - /home/david/Software/cakePhpTest/webroot/index.php:40 Request URL: /users/add Referer URL: http://localhost:8765/users/add Client IP: 127.0.0.1

What really puzzles me is that according to CakePHP Documentation cross site request forgery protection would have to be enabled in src/Application.php which is not in a freshly installed project. I checked.

So how can something that is not enabled cause an error.

To see what happend if i would enable it, i copied the code from the documentation: 

use Cake\Http\Middleware\CsrfProtectionMiddleware;

...

$options = [
// ...
];
$csrf = new CsrfProtectionMiddleware($options);

to the src/Application.php. This lead to the same error.

1
cakephpcsrfcakephp-4.x

1 Answers

1
votes

In the default application skeleton, the CSRF middleware is being registered in a routing scope, something similar is shown in the second example of the docs that you've linked.

$routes->scope('/', function (RouteBuilder $builder) {
    // Register scoped middleware for in scopes.
    $builder->registerMiddleware('csrf', new CsrfProtectionMiddleware([
         'httpOnly' => true,
     ]));

     /*
      * Apply a middleware to the current route scope.
      * Requires middleware to be registered through `Application::routes()` with `registerMiddleware()`
      */
     $builder->applyMiddleware('csrf');

     // ...
});

https://github.com/cakephp/app/blob/4.0.3/config/routes.php#L49-L58

See your config/routes.php file and configure/remove the middleware according to your needs.

If you want to use the CSRF middleware, make sure to delete your cookies for the domain, there has been a change made to CSRF token cookies which is currently incompatible with existing CSRF token cookies, see https://github.com/cakephp/cakephp/issues/14471.