问题
EDIT: I should have said this at the start, I'm using AngularJS in the FronEnd, and I'm making all the request via XHR.
I'm developing an Application using CSRF Token for every user request.
Should I regenerate the Token after each request?
Something like
Session::forget("_token") and Session::put("_token", RANDOM_SOMETHING)
Or is it enough to use the same one each user Session?
Is there any benefit?
回答1:
With Laravel 5 using Blades templates, it's pretty easy.
If you only want the value of the csrf token, you can generate it by writing:
{{ csrf_token() }}
which generates the token value like this:
7YC0Sxth7AYe4RFSjzaPf2ygLCecJhPbyXhz6vvF
If you are using forms, you can add the following line of code inside the form:
{{ csrf_field() }}
which will generate html like this:
<input type="hidden" name="_token" value="7YC0Sxth7AYe4RFSjzaPf2ygLCecJhblahblah">
回答2:
Laravel should be doing this for you, you don't need to manage the creation / deletion of _token
<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>">
See the 'CSRF Protection' section in the docs here: http://laravel.com/docs/security
回答3:
If you are using Laravel 5.6, do the following at the top of forms to create hidden input field for the CSRF token
@csrf
回答4:
Depends. If the attacker is not MITM, in the sense that they cannot eavesdrop on traffic between your web app and the API server, a single CSRF token for the entire session should be enough.
Assuming you guard sensitive operations on the server-side too (i.e. allow access to resources only to the owner of the resource, e.g. "delete my account", etc.) the token would ensure that the browser making the request is the legitimate, authenticated user's browser. That's all you should worry about, I think.
On the other hand, if the attacker is capable of looking at non-secure traffic between the web app and your API, they may get hold of the CSRF token and your session_id and do evil stuff transparently. In such case granting, using and subsequently discarding a token for each request (POST, or any kind that does sensitive operation) only makes their job a bit more difficult, but you're still doomed.
My 2 cents...
回答5:
CSRF token prevents Cross-Site attack by comparing cookie token with server token.
You can generate csrf token in laravel by csrf_token() helper function. If you want full csrf fields then you can use csrf_field() function and csrf internal logic is
function csrf_field()
{
return new HtmlString('<input type="hidden" name="_token" value="'.csrf_token().'">');
}
When new request will generate then laravel create random token every time and store in browser cookie and session after stored Its compare to each other like cookie == session token
Laravel Internal logic is following and you can find it in VerifyCsrfToken Middleware.
/**
* Determine if the session and input CSRF tokens match.
*
* @param \Illuminate\Http\Request $request
* @return bool
*/
protected function tokensMatch($request)
{
$token = $this->getTokenFromRequest($request);
return is_string($request->session()->token()) &&
is_string($token) &&
hash_equals($request->session()->token(), $token);
}
/**
* Get the CSRF token from the request.
*
* @param \Illuminate\Http\Request $request
* @return string
*/
protected function getTokenFromRequest($request)
{
$token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
$token = $this->encrypter->decrypt($header);
}
return $token;
}
/**
* Add the CSRF token to the response cookies.
*
* @param \Illuminate\Http\Request $request
* @param \Symfony\Component\HttpFoundation\Response $response
* @return \Symfony\Component\HttpFoundation\Response
*/
protected function addCookieToResponse($request, $response)
{
$config = config('session');
$response->headers->setCookie(
new Cookie(
'XSRF-TOKEN', $request->session()->token(), $this->availableAt(60 * $config['lifetime']),
$config['path'], $config['domain'], $config['secure'], false, false, $config['same_site'] ?? null
)
);
return $response;
}
回答6:
If you want to get the CSRF Token in the controller so you can just use it like this and redirect the post Route
$CSRFToken = csrf_token();
Easy Peasy Hope it helps you
来源:https://stackoverflow.com/questions/22877117/laravel-csrf-token