Menu
When use hidden field and when use header and why ?X-XSRF_TOKEN when we use?X-CSRF TOKEN when we use?
450
A CSRF token is a secure random token (e.g., synchronizer token or challenge token) that is used to prevent CSRF attacks. The token needs to be unique per user session and should be of large random value to make it difficult to guess. A CSRF secure application assigns a unique CSRF token for every user session.
In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account.
SAP Gateway generates a CSRF token and sends it back in the HTTP response header field X-CSRF-Token. This happens in a non-modifying request (such as GET) if the header field X-CSRF-Token with the value Fetch is sent along with the non-modifying request.
The XSRF-TOKEN cookie is both httponly and secure, it is getting decrypted accurately and it does match up with the token stored for the session on the server.
All of them are for cross site request forgery protection and you need to use just one of them when sending a request to backend. Different names come from different frameworks.
It's all about sending a csrf value to backend. Then backend will compare it with the csrf value stored in database for that specific user and if it matches, it will allow processing the request.
csrf :
<input name="my_csrf_input" value="a_hashed_string_the_csrf_value" x-csrf-token:
csrf value in a meta tag while rendering the html, then in front end we can get the value from that meta tag and send it to backend.Laravel specific:
laravel as backend. Laravel checks this header automatically and compares it to the valid csrf value in database.(laravel has a middleware for this)x-xsrf-token:
axios, automatically get value of this header from xsrf-token cookie and put it in every request header.xsrf-token in backend, then our front end framework that uses angular or axios will use it automatically.Laravel specific:
axios or angular with laravel, you don't need to do anything. just log user in and 'auth' middleware will do the job.x-csrf-token because cookies are encrypted in laravel.
171
when you are submitting your data using ajax you will need headers for CSRF token because ajax will not send the token along with the data.
You can use hidden field for ajax request with following code
$.ajaxSetup( { headers: { 'X-CSRF-Token': $('input[name="_token"]').val() } }); but you will have to add hidden field for every ajax requests.
The difference between the X-CSRF-TOKEN and X-XSRF-TOKEN is that the first uses a plain text value and the latter uses an encrypted value, because cookies in Laravel are always encrypted. If you use the csrf_token() function to supply the token value, you probably want to use the X-CSRF-TOKEN header.
its removed in laravel 5.2 doc but you can find it in laravel 5.0 doc, link is here
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
