0

I set up CakePHP 4.0.6 on my Lubuntu. Using a local Apache Server. Installation went fine I can see the welcome page.

Then I startet the CMS Tutorial, created the tables in the database and then created everything with bake ./cake bake all --everything This worked fine as well and I could see the /users/index page.

Next of course I tried to play with the cms by adding an user, the form was shown and i filled in the requested information but upon submitting i got this error: Missing CSRF token body

Stacktrace:

[Cake\Http\Exception\InvalidCsrfTokenException] Missing CSRF token body in /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php on line 254 Stack Trace: - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php:133 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:58 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Routing/Middleware/RoutingMiddleware.php:162 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Routing/Middleware/AssetMiddleware.php:68 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Error/Middleware/ErrorHandlerMiddleware.php:119 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/debug_kit/src/Middleware/DebugKitMiddleware.php:60 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:73 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Runner.php:58 - /home/david/Software/cakePhpTest/vendor/cakephp/cakephp/src/Http/Server.php:90 - /home/david/Software/cakePhpTest/webroot/index.php:40 Request URL: /users/add Referer URL: http://localhost:8765/users/add Client IP: 127.0.0.1

What really puzzles me is that according to CakePHP Documentation cross site request forgery protection would have to be enabled in src/Application.php which is not in a freshly installed project. I checked.

So how can something that is not enabled cause an error.

To see what happend if i would enable it, i copied the code from the documentation: 

use Cake\Http\Middleware\CsrfProtectionMiddleware;

...

$options = [
// ...
];
$csrf = new CsrfProtectionMiddleware($options);

to the src/Application.php. This lead to the same error.

Improve this question

1 Answer 1

Reset to default
1

In the default application skeleton, the CSRF middleware is being registered in a routing scope, something similar is shown in the second example of the docs that you've linked.

$routes->scope('/', function (RouteBuilder $builder) {
    // Register scoped middleware for in scopes.
    $builder->registerMiddleware('csrf', new CsrfProtectionMiddleware([
         'httpOnly' => true,
     ]));

     /*
      * Apply a middleware to the current route scope.
      * Requires middleware to be registered through `Application::routes()` with `registerMiddleware()`
      */
     $builder->applyMiddleware('csrf');

     // ...
});

https://github.com/cakephp/app/blob/4.0.3/config/routes.php#L49-L58

See your config/routes.php file and configure/remove the middleware according to your needs.

If you want to use the CSRF middleware, make sure to delete your cookies for the domain, there has been a change made to CSRF token cookies which is currently incompatible with existing CSRF token cookies, see https://github.com/cakephp/cakephp/issues/14471.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you! I had to remove the old cookies.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.