//js里
1、<input type="hidden" value="<?php echo Yii::$app->request->csrfToken; ?>" name="_csrf" >
2、
function getMessage(){
        $.ajax({
            headers:{ 
                "<?php echo \Yii\web\Request::CSRF_HEADER;?>":
                    '<?php echo Yii::$app->request->csrfToken; ?>' // _csrf验证
            },
            type: 'post', //传输类型
            url: "/site/ajax-message",
            async: true,
            data: {
                start:0
            },
            dataType: "jsonp",
            success: function (data) {
                consolr.log(data)
            }
        });
    }
//php里
1、main.php
'components' => [
        'request' => [
            // !!! insert a secret key in the following (if it is empty) - this is required by cookie validation
            'enableCookieValidation' => true,
            'cookieValidationKey' => 'cookvalid',
        ],
]
2、控制器中添加：
public $enableCsrfValidation = false;