diff --git a/framework/yii/validators/CaptchaValidator.php b/framework/yii/validators/CaptchaValidator.php
index 01870d3..7721067 100644
--- a/framework/yii/validators/CaptchaValidator.php
+++ b/framework/yii/validators/CaptchaValidator.php
@@ -21,6 +21,9 @@ use yii\helpers\Html;
  */
 class CaptchaValidator extends Validator
 {
+	/**
+	 * @var boolean whether to skip this validator if the input is empty.
+	 */
 	public $skipOnEmpty = false;
 	/**
 	 * @var boolean whether the comparison is case sensitive. Defaults to false.
diff --git a/framework/yii/web/CaptchaAction.php b/framework/yii/web/CaptchaAction.php
index 53b392d..1e22627 100644
--- a/framework/yii/web/CaptchaAction.php
+++ b/framework/yii/web/CaptchaAction.php
@@ -173,7 +173,7 @@ class CaptchaAction extends Action
 	{
 		$code = $this->getVerifyCode();
 		$valid = $caseSensitive ? ($input === $code) : strcasecmp($input, $code) === 0;
-		$session = Yii::$app->session;
+		$session = Yii::$app->getSession();
 		$session->open();
 		$name = $this->getSessionKey() . 'count';
 		$session[$name] = $session[$name] + 1;
diff --git a/framework/yii/web/Request.php b/framework/yii/web/Request.php
index 4f0ff1f..3a16f9e 100644
--- a/framework/yii/web/Request.php
+++ b/framework/yii/web/Request.php
@@ -27,7 +27,7 @@ class Request extends \yii\base\Request
 	 * You may use [[\yii\web\Html::beginForm()]] to generate his hidden input.
 	 * @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
 	 */
-	public $enableCsrfValidation = false;
+	public $enableCsrfValidation = true;
 	/**
 	 * @var string the name of the token used to prevent CSRF. Defaults to 'YII_CSRF_TOKEN'.
 	 * This property is effectively only when {@link enableCsrfValidation} is true.
@@ -771,7 +771,10 @@ class Request extends \yii\base\Request
 		$this->_cookieValidationKey = $value;
 	}
 
-	private $_csrfToken;
+	/**
+	 * @var Cookie
+	 */
+	private $_csrfCookie;
 
 	/**
 	 * Returns the random token used to perform CSRF validation.
@@ -781,16 +784,15 @@ class Request extends \yii\base\Request
 	 */
 	public function getCsrfToken()
 	{
-		if ($this->_csrfToken === null) {
-			$cookies = $this->getCookies();
-			if (($this->_csrfToken = $cookies->getValue($this->csrfTokenName)) === null) {
-				$cookie = $this->createCsrfCookie();
-				$this->_csrfToken = $cookie->value;
-				$cookies->add($cookie);
+		if ($this->_csrfCookie === null) {
+			$this->_csrfCookie = $this->getCookies()->get($this->csrfTokenName);
+			if ($this->_csrfCookie === null) {
+				$this->_csrfCookie = $this->createCsrfCookie();
+				Yii::$app->getResponse()->getCookies()->add($this->_csrfCookie);
 			}
 		}
 
-		return $this->_csrfToken;
+		return $this->_csrfCookie->value;
 	}
 
 	/**