Book Image

Yii2 Application Development Cookbook - Third Edition

By : Sergey Ivanov, Andrew Bogdanov, Dmitry Eliseev
Book Image

Yii2 Application Development Cookbook - Third Edition

By: Sergey Ivanov, Andrew Bogdanov, Dmitry Eliseev

Overview of this book

Yii is a free, open source web application development framework written in PHP5 that promotes clean DRY design and encourages rapid development. It works to streamline your application development time and helps to ensure an extremely efficient, extensible, and maintainable end product. Being extremely performance optimized, Yii is a perfect choice for any size project. However, it has been built with sophisticated, enterprise applications in mind. You have full control over the configuration from head-to-toe (presentation-to-persistence) to conform to your enterprise development guidelines. It comes packaged with tools to help test and debug your application, and has clear and comprehensive documentation. This book is a collection of Yii2 recipes. Each recipe is represented as a full and independent item, which showcases solutions from real web-applications. So you can easily reproduce them in your environment and learn Yii2 fast and without tears. All recipes are explained with step-by-step code examples and clear screenshots. Yii2 is like a suit that looks great off the rack, but is also very easy to tailor to fit your needs. Virtually every component of the framework is extensible. This book will show how to use official extensions, extend any component, or write a new one. This book will help you create modern web applications quickly, and make sure they perform well using examples and business logic from real life. You will deal with the Yii command line, migrations, and assets. You will learn about role-based access, security, and deployment. We’ll show you how to easily get started, configure your environment, and be ready to write web applications efficiently and quickly.
Table of Contents (19 chapters)
Yii2 Application Development Cookbook Third Edition
About the Authors
About the Reviewer

Preventing CSRF

CSRF is an abbreviation for cross-site request forgery, where a malicious user tricks the user's browser into silently performing an HTTP request to the website when the user is logged in.

An example of such an attack is inserting an invisible image tag with src pointing to Even if the image tag is inserted in another website, you will be immediately logged out from The consequences of CSRF can be very serious: destroying website data, preventing all website users from logging in, exposing private data, and so on.

Some facts about CSRF:

  • As CSRF should be performed by the victim user's browser, the attacker cannot normally change the HTTP headers sent. However, there are both browser and Flash plugin vulnerabilities that exist which allow users to spoof headers, so we should not rely on these.

  • The attacker should pass the same parameters and values as the user would normally.

Considering these, a good method of dealing with CSRF is by...