`config.web.php` already provides a prefix, so `config.security` should not provide one.
Can be merged later whenever necessary. Also verifies if the protection is enabled or not.
This commit is contained in:
parent
cd331dc39d
commit
0e2eb5ef72
|
@ -50,12 +50,12 @@ return [
|
||||||
| 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks
|
| 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks
|
||||||
*/
|
*/
|
||||||
'csrf_protection' => true,
|
'csrf_protection' => true,
|
||||||
'csrf_token_name' => 'fw_csrf_token',
|
'csrf_token_name' => 'csrf_token',
|
||||||
'csrf_expire' => 7200,
|
'csrf_expire' => 7200,
|
||||||
'csrf_exclude_uris' => array(),
|
'csrf_exclude_uris' => array(),
|
||||||
|
|
||||||
// CSRF Cookie information
|
// CSRF Cookie information
|
||||||
'csrf_cookie_name' => 'fw_csrf_cookie',
|
'csrf_cookie_name' => 'csrf_cookie',
|
||||||
'csrf_cookie_prefix' => '',
|
'csrf_cookie_prefix' => '',
|
||||||
'csrf_cookie_domain' => '',
|
'csrf_cookie_domain' => '',
|
||||||
'csrf_cookie_path' => '/',
|
'csrf_cookie_path' => '/',
|
||||||
|
|
|
@ -188,7 +188,7 @@ class Security {
|
||||||
$this->input = Factory::getInstance()->input;
|
$this->input = Factory::getInstance()->input;
|
||||||
|
|
||||||
// Is CSRF protection enabled?
|
// Is CSRF protection enabled?
|
||||||
if ($this->config->csrf_protection)
|
if ($this->config->get('csrf_protection'))
|
||||||
{
|
{
|
||||||
// CSRF config
|
// CSRF config
|
||||||
foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key)
|
foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key)
|
||||||
|
@ -222,6 +222,10 @@ class Security {
|
||||||
*/
|
*/
|
||||||
public function csrf_verify(): self
|
public function csrf_verify(): self
|
||||||
{
|
{
|
||||||
|
// If not enabled, do not run
|
||||||
|
if (!$this->config->get('csrf_protection'))
|
||||||
|
return $this;
|
||||||
|
|
||||||
// If it's not a POST request we will set the CSRF cookie
|
// If it's not a POST request we will set the CSRF cookie
|
||||||
if (strtoupper($this->input->server('REQUEST_METHOD')) !== 'POST')
|
if (strtoupper($this->input->server('REQUEST_METHOD')) !== 'POST')
|
||||||
return $this->csrf_set_cookie();
|
return $this->csrf_set_cookie();
|
||||||
|
|
Loading…
Reference in New Issue