What is CSRF, please see the details here. http://en.wikipedia.org/wiki/Cross-site_request_forgery
In Yii, how to start the CSRF authorization? It is very easy to do that.
Just add this to main.php
'components'=>array(
'request'=>array(
'enableCsrfValidation'=>true,
),
),
'request'=>array(
'enableCsrfValidation'=>true,
),
),
And then, do something else to send a request to the server, you have to provide the YII_CSRF_TOKEN ( the browser will do for us when click a link), otherwise, you will get this message
The CSRF token could not be verified.
when you post a form, if you do not use CActiveForm or its children, you have to provide a hidden field to store the YII_CSRF_TOKEN.
<input type="hidden" name="YII_CSRF_TOKEN" value="<?php echo Yii::app()->request->csrfToken; ?>" />
If you use CActiveForm or its children, you just use the same code no matter you set enableCsrfValidation to true or false.
<?php $form=$this->beginWidget('CActiveForm'); ?>
Yii will know how to do it!
Have fun with Yii! :)