Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

SOLVED: Laravel CSRF protection


I know what CSRF attack is, and I have read the documentation about it, however I have trouble understanding how CSRF protection works in depth, and have some general questions I couldn't find.

In the documentation it says that Laravel automatically generates a Token for

... each active user session managed by the application.

  1. Where does it create the token (what part of the code triggers it)?
  2. Where is the token stored after creation, in cookie? In session? How can I extract and see what has been stored? Is this all actually controlled by session.php?
  3. What does this mean when I reload the page, is the token still the same as the session.php has 120 min default lifetime?
  4. What happens with that cookie when I navigate to subdomain handled by the same app if I have set my domain property to be "." . env('APP_URL')?

So once the token has been created and stored somewhere, when making a Request, I have to provide either csrf_token() hidden property to the form, or generate it as a meta field and redirect to my JS file if I'm doing an AJAX request.

  1. So what happens in low-level when I actually make a request? Request generates csrf_token(), Laravel encrypts the cookie, Laravel checks if the cookie sent is the same as the cookie in session. If yes, it means that the request is valid, if not, throw TokenMissmatchException?

  2. Does that mean that every request during the lifetime of the cookie will have the same token?

  3. Does Laravel encrypt request and response cookies differently? If I exclude token from cookie encryption in EncryptCookies class I get the same token, but when I leave it, hashes are different.

  4. How does providing _token in the request data differ from forwarding token as X-CSRF-TOKEN header? How does Laravel validate those if I see them unencrypted? Do they get encrypted after the request?

Posted in S.E.F
via StackOverflow & StackExchange Atomic Web Robots
This Question have been answered

This post first appeared on Stack Solved, please read the originial post: here

Share the post

SOLVED: Laravel CSRF protection


Subscribe to Stack Solved

Get updates delivered right to your inbox!

Thank you for your subscription