Merge pull request #6406 from kenjis/fix-csrf-redirect-default

config: change Security::$redirect to false

Author: kenjis

app/Config/App.php

@@ -369,7 +369,7 @@ class App extends BaseConfig
      *
      * @deprecated Use `Config\Security` $redirect property instead of using this property.
      */
-    public bool $CSRFRedirect = true;
+    public bool $CSRFRedirect = false;
 
     /**
      * --------------------------------------------------------------------------

app/Config/Security.php

@@ -80,7 +80,7 @@ class Security extends BaseConfig
      *
      * Redirect to previous page with error on failure.
      */
-    public bool $redirect = true;
+    public bool $redirect = false;
 
     /**
      * --------------------------------------------------------------------------

env

@@ -124,7 +124,7 @@
 # security.cookieName = 'csrf_cookie_name'
 # security.expires = 7200
 # security.regenerate = true
-# security.redirect = true
+# security.redirect = false
 # security.samesite = 'Lax'
 
 #--------------------------------------------------------------------

system/Security/Security.php

@@ -123,7 +123,7 @@ class Security implements SecurityInterface
      *
      * @var bool
      */
-    protected $redirect = true;
+    protected $redirect = false;
 
     /**
      * CSRF SameSite

user_guide_src/source/changelogs/v4.3.0.rst

@@ -85,7 +85,9 @@ Changes
     - The ``CodeIgniter\CLI\CommandRunner`` class has been removed due to a change in Spark commands processing.
     - The system route configuration file ``system/Config/Routes.php`` has been removed.
     - The route configuration file ``app/Config/Routes.php`` has been changed. Removed include of system routes configuration file.
-- All atomic type properties in ``Config`` classes have been typed.
+- Config
+    - All atomic type properties in ``Config`` classes have been typed.
+    - Changed the default setting to not redirect when a CSRF check fails so that it is easy to see that it is a CSRF error.
 
 Deprecations
 ************

user_guide_src/source/libraries/security.rst

@@ -112,18 +112,22 @@ may alter this behavior by editing the following config parameter value in
 Redirection on Failure
 ----------------------
 
-When a request fails the CSRF validation check, it will redirect to the previous page by default,
-setting an ``error`` flash message that you can display to the end user with the following code in your view::
+Since v4.3.0, when a request fails the CSRF validation check,
+it will throw a SecurityException by default,
 
-    <?= session()->getFlashdata('error') ?>
-
-This provides a nicer experience
-than simply crashing. This can be turned off by editing the following config parameter value in
+If you want to make it redirect to the previous page,
+change the following config parameter value in
 **app/Config/Security.php**:
 
 .. literalinclude:: security/005.php
 
-Even when the redirect value is ``true``, AJAX calls will not redirect, but will throw an error.
+When redirected, an ``error`` flash message is set and can be displayed to the end user with the following code in your view::
+
+    <?= session()->getFlashdata('error') ?>
+
+This provides a nicer experience than simply crashing.
+
+Even when the redirect value is ``true``, AJAX calls will not redirect, but will throw a SecurityException.
 
 Enable CSRF Protection
 ======================

user_guide_src/source/libraries/security/005.php

@@ -6,6 +6,9 @@
 
 class Security extends BaseConfig
 {
-    public $redirect = false;
+    // ...
+
+    public bool $redirect = true;
+
     // ...
 }