CSRF-TOKEN
CSRF is an attack using unauthorized command done on behalf of an authorized user.
Including csrf token in a form its in a hidden format,so that middleware can validate the request.
Laravel automatically generates the csrf token for each active session.This token is used to verify each
authenticated user is making the request
Method for generting csrf token
|
1 2 3 4 |
<form method="POST" action="testlogin"> {{ csrf_field() }} </form> |
we can use the below code also to generate csrf token
|
1 |
<input type="hidden" name="_token" value="{{ csrf_token() }}"> |
Middleware folder contains file called verifycsrftoken.php. Functions inside this file will verify the token in the input request with value in session.
For a particualr reason if you want to avoid csrf protection you can exclude using the verifycsrftoken.php file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
<?php namespace App\Http\Middleware; use Closure; use Redirect; use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier; class VerifyCsrfToken extends BaseVerifier { /** * The URIs that should be excluded from CSRF verification. * * @var array */ protected $except = ['myTest','helllTest']; ?> |
X-CSRF-TOKEN
In addition to check the csrf token in the post parameter.verifycsrftoken will verify the
token in the request header
if we store the the token in meta tag, like..
|
1 |
<meta name="csrf-token" content="{{ csrf_token() }}"> |
this verification from request header not from the form post method.In the case of ajax application
jquery will instruct the function to add csrftoken.
|
1 2 3 4 5 |
$.ajaxSetup({ headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') } }); |
X-XSRF-TOKEN
x-xsrf-token is generated and save as a cookie in each response generated by the laravel.this value we can use in the request header.
So in csrf token stored in request header and hidden field in the form.