Avoid CSRF with Form->postLInk at CakePHP 2.2

Question

I am trying to use the Security component in order to avoid CSRF attacks and if i use the formHelper to create the ticket just using a postLink, like this, it fails:

<?php echo $this->Form->postLink(__('Delete'), array('action' => 'delete', $user['User']['id']),  array('class' => 'button mini'), __('Are you sure?', $user['User']['id'])); ?>

I am not sure if this is possible or CakePHP just allow this feature using the create() and end() methods of formHelper.

CakePHP documentation only says that is is compulsory to use the formHelper but it doesn't specify much more.

Answer 1

When you have the Security component enabled and you use the FormHelper methods for all forms you do not have to worry about this. You also do not have to configure anything. It works out of the box.

For CSRF you can use the following options:

property SecurityComponent::$csrfCheck
Whether to use CSRF protected forms. Set to false to disable CSRF protection on forms.

property SecurityComponent::$csrfExpires
The duration from when a CSRF token is created that it will expire on. Each form/page request will generate a new token that can only be submitted once unless it expires. Can be any value compatible with strtotime(). The default is +30 minutes.

property SecurityComponent::$csrfUseOnce
Controls whether or not CSRF tokens are use and burn. Set to false to not generate new tokens on each request. One token will be reused until it expires. This reduces the chances of users getting invalid requests because of token consumption. It has the side effect of making CSRF less secure, as tokens are reusable.

If you have everything ON you should see the CSRF tokens in the html of the form. You can set any additional options you like but it will pretty much work out of the box for you.