Jump to content
  • 0

How to Disable CSRF Protection


Question

11 answers to this question

Recommended Posts

  • 0

You need to update your configuration file to set specific controller methods that should bypass the CSRF check. You can update /config/blesta.php, then find and update

Configure::set('Blesta.csrf_bypass', array());

to:

Configure::set('Blesta.csrf_bypass', array('client_login::index', 'client_login::reset'));

That will disable the CSRF check on the client login and client reset password pages.

The ISO-3166 for Bangladesh includes multiple districts and divisions, and some of the divisions have the same name as the district, hence why "Chittagong" appears duplicate--one refers to the division and the other refers to the district. If you need to update the States in Blesta to better represent provinces in your area more specifically than the ISO-3166 can represent, you can try the States&Countries plugin to update them.

Link to post
Share on other sites
  • 0
On 16/11/2017 at 12:14 AM, Tyson said:

You need to update your configuration file to set specific controller methods that should bypass the CSRF check. You can update /config/blesta.php, then find and update

Configure::set('Blesta.csrf_bypass', array());

to:

Configure::set('Blesta.csrf_bypass', array('client_login::index', 'client_login::reset'));

That will disable the CSRF check on the client login and client reset password pages.

What to do to disable csrf check for registration page?

Link to post
Share on other sites
  • 0

Yes, you can disable it similar to what is shown above in the configuration file using the plugin controller and method. But since it's in your plugin, you can always disable it from the source by calling Form::setCsrfOptions prior to Form::create, e.g.:

$this->Form->setCsrfOptions(['set_on_create' => false]);
$this->Form->create();

 

Link to post
Share on other sites
  • 0
17 hours ago, Tyson said:

Yes, you can disable it similar to what is shown above in the configuration file using the plugin controller and method. But since it's in your plugin, you can always disable it from the source by calling Form::setCsrfOptions prior to Form::create, e.g.:

$this->Form->setCsrfOptions(['set_on_create' => false]);
$this->Form->create();

 

Thanks for your response. But I was unable to figure out how to build keys for configuration file like you have if my controller is in plugin.  I can't set in the form as this is used via curl. I can't use APIs for this because i need this to be without authentication. It should do very specific task.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...