`config.web.php` already provides a prefix, so `config.security` should not provide one.
Can be merged later whenever necessary. Also verifies if the protection is enabled or not.
This commit is contained in:
parent
cd331dc39d
commit
0e2eb5ef72
|
@ -50,12 +50,12 @@ return [
|
|||
| 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks
|
||||
*/
|
||||
'csrf_protection' => true,
|
||||
'csrf_token_name' => 'fw_csrf_token',
|
||||
'csrf_token_name' => 'csrf_token',
|
||||
'csrf_expire' => 7200,
|
||||
'csrf_exclude_uris' => array(),
|
||||
|
||||
// CSRF Cookie information
|
||||
'csrf_cookie_name' => 'fw_csrf_cookie',
|
||||
'csrf_cookie_name' => 'csrf_cookie',
|
||||
'csrf_cookie_prefix' => '',
|
||||
'csrf_cookie_domain' => '',
|
||||
'csrf_cookie_path' => '/',
|
||||
|
|
|
@ -188,7 +188,7 @@ class Security {
|
|||
$this->input = Factory::getInstance()->input;
|
||||
|
||||
// Is CSRF protection enabled?
|
||||
if ($this->config->csrf_protection)
|
||||
if ($this->config->get('csrf_protection'))
|
||||
{
|
||||
// CSRF config
|
||||
foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key)
|
||||
|
@ -222,6 +222,10 @@ class Security {
|
|||
*/
|
||||
public function csrf_verify(): self
|
||||
{
|
||||
// If not enabled, do not run
|
||||
if (!$this->config->get('csrf_protection'))
|
||||
return $this;
|
||||
|
||||
// If it's not a POST request we will set the CSRF cookie
|
||||
if (strtoupper($this->input->server('REQUEST_METHOD')) !== 'POST')
|
||||
return $this->csrf_set_cookie();
|
||||
|
|
Loading…
Reference in New Issue