I know what CSRF attack is, and I have read the documentation about it, however I have trouble understanding how CSRF protection works in depth, and have some general questions I couldn't find.
In the documentation it says that Laravel automatically generates a Token for
... each active user session managed by the application.
- Where does it create the token (what part of the code triggers it)?
- Where is the token stored after creation, in cookie? In session? How can I extract and see what has been stored? Is this all actually controlled by
- What does this mean when I reload the page, is the token still the same as the
session.phphas 120 min default lifetime?
- What happens with that cookie when I navigate to subdomain handled by the same app if I have set my
domainproperty to be
"." . env('APP_URL')?
So once the token has been created and stored somewhere, when making a Request, I have to provide either
csrf_token() hidden property to the form, or generate it as a meta field and redirect to my JS file if I'm doing an AJAX request.
So what happens in low-level when I actually make a request? Request generates
csrf_token(), Laravel encrypts the cookie, Laravel checks if the cookie sent is the same as the cookie in session. If yes, it means that the request is valid, if not, throw
Does that mean that every request during the lifetime of the cookie will have the same token?
Does Laravel encrypt request and response cookies differently? If I exclude token from cookie encryption in
EncryptCookiesclass I get the same token, but when I leave it, hashes are different.
How does providing
_tokenin the request data differ from forwarding token as
X-CSRF-TOKENheader? How does Laravel validate those if I see them unencrypted? Do they get encrypted after the request?
Posted in S.E.F
via StackOverflow & StackExchange Atomic Web Robots
This Question have been answered