Menu
I know what CSRF attack is, and I have read the documentation about it, however I have trouble understanding how CSRF protection works in depth, and have some general questions I couldn't find.
In the documentation it says that Laravel automatically generates a token for
... each active user session managed by the application.
session.php?session.php has 120 min default lifetime?domain property to be "." . env('APP_URL')?So once the token has been created and stored somewhere, when making a request, I have to provide either csrf_token() hidden property to the form, or generate it as a meta field and redirect to my JS file if I'm doing an AJAX request.
So what happens in low-level when I actually make a request? Request generates csrf_token(), Laravel encrypts the cookie, Laravel checks if the cookie sent is the same as the cookie in session. If yes, it means that the request is valid, if not, throw TokenMissmatchException?
Does that mean that every request during the lifetime of the cookie will have the same token?
Does Laravel encrypt request and response cookies differently? If I exclude token from cookie encryption in EncryptCookies class I get the same token, but when I leave it, hashes are different.
How does providing _token in the request data differ from forwarding token as X-CSRF-TOKEN header? How does Laravel validate those if I see them unencrypted? Do they get encrypted after the request?
537
Introduction. Laravel makes it easy to protect your application from cross-site request forgery (CSRF) attacks. Cross-site request forgeries are a type of malicious exploit whereby unauthorized commands are performed on behalf of an authenticated user.
CSRF protection is enabled by default in all routes of Laravel 5. We can disable it for specific routes by modifying app>Http>Middleware>VerifyCsrfToken. php file of your application or you can disable it as a whole.
You can conveniently build JavaScript driven applications using JavaScript HTTP library, as this includes CSRF token to every outgoing request. The file namely resources/assets/js/bootstrap. js registers all the tokens for Laravel applications and includes meta tag which stores csrf-token with Axios HTTP library.
- Where does it create the token (what part of the code triggers it)?
After going through the helpers file
/vendor/laravel/framework/src/Illuminate/Foundation/helpers.php
which had the definition of csrf_token() helper method, which calls the token method on
/vendor/laravel/framework/src/Illuminate/Session/Store.php
and if you check the start() which calls regenerateToken() if _token hasn't been set, it save a random 40 character string to the session with the key of _token
/**
* Regenerate the CSRF token value.
*
* @return void
*/
public function regenerateToken()
{
$this->put('_token', Str::random(40));
}
- Where is the token stored after creation, in cookie? In session? How can I extract and see what has been stored? Is this all actually controlled by session.php?
The token is stored in session, you can extract it using session('_token'). The session expiration time is controlled in session.php using
'lifetime' => env('SESSION_LIFETIME', 120),
'expire_on_close' => false,
- What does this mean when I reload the page, is the token still the same as the session.php has 120 min default lifetime?
If you check start() in /vendor/laravel/framework/src/Illuminate/Session/Store.php
/**
* Start the session, reading the data from a handler.
*
* @return bool
*/
public function start()
{
$this->loadSession();
if (! $this->has('_token')) {
$this->regenerateToken();
}
return $this->started = true;
}
the token is regenerated if the session does not have _token. So _token would be same until the session expires
105
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
