3.0 - adding error callback to CsrfComponent

[PGBI]

In cakephp 2, it was possible to handle Csrf errors with a blackhole method. In cakephp 3, Csrf handling was moved out from SecurityComponent to CsrfComponent, but the CsrfComponent does not offer the option to choose how to handle csrf errors (no blackhole callback).

I'm asking this cause most of the time, csrf errors are caused by session expiration rather than hack attempt. I think it would be nice to be able to tell the user "sorry, your session has expired" instead of throwing a 403 error.

What do you think?

[lorenzo]

The csrf check does not rely on the session

[PGBI]

My bad. But it does rely on a cookie right? A cookie that can also expire.

[lorenzo]

The cookie will live for as long as you have the browser open

[PGBI]

Unless you switch to privacy mode. Or if you delete them. Ok that's tricky situations, but I trust my users to find many more of them :D

In cakephp 2 it was possible to capture csrf errors with the blackhole method. Not in cakephp 3. Don't you think that's a regression?

Is there a reason why SecurityComponent would have such a feature and not the Csrf one?

[lorenzo]

I just think adding the callback would be misleading.
On tir. 12. maj 2015 at 19.38 Pierre notifications@github.com wrote:

Unless you switch to privacy mode. Or if you delete them. Ok that's tricky
situations, but I trust my users to find many more of them :D

In cakephp 2 it was possible to capture csrf errors with the blackhole
method. Not in cakephp 3. Don't you think that's a regression?

Is there a reason why SecurityComponent would have such a feature and not
the Csrf one?

—
Reply to this email directly or view it on GitHub
#6546 (comment).

[markstory]

I don't see the lack of a callback as a regression as the current CSRF implemenatation is totally separate and distinct from the previous one. Would having a specific exception class help? That way you could render a different error template for CSRF errors which sounds like what you need if I'm understanding things correctly.

[PGBI]

In cakephp 2, we could define a blackhole method as this:

public function beforeFilter() {
    $this->Security->blackHoleCallback = 'blackhole';
}

public function blackhole($type) {
    // handle errors.
}

$type being one of these strings: 'auth', 'csrf', 'secure', ...

So in case of csrf error, it was possible to tell the user something like "please make sure you have cookies enabled or reload the page to refresh session/cookie and try again" instead of just throwing a 400 error.

In cakephp 3, I don't see how to do the same thing. Here is why I think this is a regression.

Maybe adding a "blackhole-like" callback is not a good option. If you guys prefer using a specific exception class, it'll be good too, as long as I can render a different error template for CSRF errors as you said @markstory .

[PGBI]

btw, I can work on this if you agree with this feature.

[markstory]

I think specific exceptions is a better way to handle these kinds of situations going forward. Exceptions can be easily converted into error pages, or responses, or caught by controller hook methods like startupProcess(). I don't like callback methods as they are easy to accidentally not stop the request.

[lorenzo]

I think a custom exception is the way to go

[markstory]

Fixed with #6620