# |
Aug 15th 2019, 14:49 |
martin |
you need to turn it on by the middleware |
# |
Aug 15th 2019, 14:49 |
martin |
by default the cookie of crsf is not readable by javascript |
# |
Aug 15th 2019, 14:49 |
neon1024 |
..but that doesn’t work, so yeah, I’ll give it a try, thanks! |
# |
Aug 15th 2019, 14:48 |
neon1024 |
@ndm The documentation said to use the cookie |
# |
Aug 15th 2019, 14:48 |
ndm |
On the first request there would be no cookie |
# |
Aug 15th 2019, 14:48 |
ndm |
@neon1024 Also you should better read the CSRF token from the request parameters, like `$this->getRequest->getParam('_csrfToken')` |
# |
Aug 15th 2019, 14:46 |
martin |
@ndm / @ricksaccous problem is that most of tables that I use (old ones) are in Europe/Amsterdam, but this database uses in UTC so wanted to set the single database to utc :P |
# |
Aug 15th 2019, 14:45 |
ndm |
`_Token[fields]` still wrong... or copy pasta error |
# |
Aug 15th 2019, 14:45 |
neon1024 |
..because `[]` !== `''` ? |
# |
Aug 15th 2019, 14:44 |
slackebot |
<neon1024> |
# |
Aug 15th 2019, 14:44 |
neon1024 |
Yep, I’ve done that |
# |
Aug 15th 2019, 14:43 |
ndm |
@neon1024 See `\Cake\View\Helper\FormHelper::secure()` also. |
# |
Aug 15th 2019, 14:43 |
martin |
@ndm ok, will try that |
# |
Aug 15th 2019, 14:42 |
ndm |
@neon1024 You're probably not sending the `X-CSRF-Token` header... and the security token is invalid because a) `fields` is supposed to be a hash (see `\Cake\Utility\Security\SecureFieldTokenTrait::_buildFieldToken()`, and `debug` should be an array where the first element is the current URL, the second element an array of fields, and the third element an array of unlocked fields. |
# |
Aug 15th 2019, 14:39 |
neon1024 |
If it takes more than 30 minutes to setup, then it’s not worth using |
# |
Aug 15th 2019, 14:39 |
neon1024 |
Although, I’ll be honest, I am close to removing both of them to solve the problem. |
# |
Aug 15th 2019, 14:38 |
neon1024 |
I added the CsrfProtectionMiddleware and now I can’t login to my application due to `CSRF token mismatch. Cake\Http\Exception\InvalidCsrfTokenException` so I’m just working to try and find out why that is. Then I can go back to figuring out why my `_Token` used by SecurityComponent is causing a 400 Bad Request on my Ajax :slightly_smiling_face: |
# |
Aug 15th 2019, 14:36 |
neon1024 |
I’ve worked myself into a circle here, and totally lost the plot. Sorry @ndm |
# |
Aug 15th 2019, 14:35 |
ndm |
@neon1024 The debug token contains for example the fields in plain text, it's used by the security component to figure the cause for a token mismatch, so that it can tell you what exactly the problem is. |
# |
Aug 15th 2019, 14:33 |
neon1024 |
This is a nightmare! |
# |
Aug 15th 2019, 14:33 |
neon1024 |
Turning on the Csrf Middlware means I can’t even login! |
# |
Aug 15th 2019, 14:25 |
neon1024 |
I wish the SecurityComponent was easy to use ,:( |
# |
Aug 15th 2019, 14:25 |
ndm |
@martin Timezone conversion on read is coming in 4.x, you can backport the code to a custom type if you need it. Personally I'd go full UTC as mentioned by @ricksaccous, that makes avoiding pitfalls a lot easier. |
# |
Aug 15th 2019, 14:17 |
neon1024 |
Well at least now I’m getting a 400 Bad Request |
# |
Aug 15th 2019, 14:08 |
slackebot |
<neon1024> |
# |
Aug 15th 2019, 14:07 |
neon1024 |
Anyone know what the `_Token[debug]` is supposed to be? |
# |
Aug 15th 2019, 14:06 |
ricksaccous |
but i know that's the general idea |
# |
Aug 15th 2019, 14:05 |
ricksaccous |
I'm actually not sure of the "right" way to do it, heh |
# |
Aug 15th 2019, 14:05 |
ricksaccous |
and when you want to display the time to users you do a bit of handling however you see fit to display it in their timezone |
# |
Aug 15th 2019, 14:04 |
ricksaccous |
@martin generally you set your default timezone to UTC so it will be set to UTC in db |
# |
Aug 15th 2019, 14:02 |
neon1024 |
What a pain in the ass :( |
# |
Aug 15th 2019, 13:57 |
martin |
I see in the “toDatabase” function in type something happens with the timezone. But with in the toPhp noting happens? |
# |
Aug 15th 2019, 13:55 |
martin |
I’ve my default timezone to Europe/Amsterdam, I’ve added ‘timezone’ => ‘UTC’ to my database config, But when I read am item from database the timezone is of the time is Europe/Amsterdam. so it will not be converted to the Amsterdam time. Do I something wrong? |
# |
Aug 15th 2019, 13:53 |
neon1024 |
Perhaps I’ll add it once I learn how to do that |
# |
Aug 15th 2019, 13:53 |
neon1024 |
All it needs is a link with ‘Find out how to generate a token to send as a header’ |
# |
Aug 15th 2019, 13:52 |
slackebot |
<neothermic> |
# |
Aug 15th 2019, 13:51 |
slackebot |
<neon1024> |
# |
Aug 15th 2019, 13:51 |
neothermic |
(very dry sarcasm) |
# |
Aug 15th 2019, 13:51 |
neothermic |
@neon1024 https://github.com/cakephp/docs/blob/3.0/en/controllers/components/csrf.rst ;) |
# |
Aug 15th 2019, 13:44 |
neon1024 |
No code examples, links or forward user journey ,:( |
# |
Aug 15th 2019, 13:44 |
neon1024 |
Top docs here! https://book.cakephp.org/3.0/en/controllers/components/csrf.html#csrf-protection-and-ajax-requests |