Skip to content
docsv0.1.0

CsrfDeniedException

The 403 signal that {@see \Milpa\Auth\Http\CsrfGuard} refused a state-changing request whose CSRF state token was missing or did not match the one issued in the state cookie. The message teaches the fix without ever echoing either token value back — printing the expected or submitted state would hand it to exactly the log an attacker reads.

CsrfDeniedException::stateMismatch()

public static function stateMismatch(): self

The submitted state token was absent, or did not match the issued state cookie (timing-safe).