CODEWITHSUNDEEP
laravelcsrf
Gabriel Matusevich
Gabriel Matusevich

Reputation: 3855

Laravel CSRF Token

EDIT: I should have said this at the start, I'm using AngularJS in the FronEnd, and I'm making all the request via XHR. I'm developing an Application using CSRF Token for every user request.

Should I regenerate the Token after each request?

Something like 

Session::forget("_token") and Session::put("_token", RANDOM_SOMETHING)

Or is it enough to use the same one each user Session?

Is there any benefit?

Upvotes: 21

Views: 149994

Answers (6)

duellsy
duellsy

Reputation: 8577

Laravel should be doing this for you, you don't need to manage the creation / deletion of _token

<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>">

See the 'CSRF Protection' section in the docs here: https://laravel.com/docs/10.x/csrf#

Upvotes: 16

Mr Talha
Mr Talha

Reputation: 825

If you want to get the CSRF Token in the controller so you can just use it like this and redirect the post Route 

$CSRFToken = csrf_token();

Easy Peasy Hope it helps you

Upvotes: 2

Paresh Barad
Paresh Barad

Reputation: 1609

CSRF token prevents Cross-Site attack by comparing cookie token with server token.

You can generate csrf token in laravel by csrf_token() helper function. If you want full csrf fields then you can use csrf_field() function and csrf internal logic is

function csrf_field()
{
   return new HtmlString('<input type="hidden" name="_token" value="'.csrf_token().'">');
}

When new request will generate then laravel create random token every time and store in browser cookie and session after stored Its compare to each other like cookie == session token

Laravel Internal logic is following and you can find it in VerifyCsrfToken Middleware.

/**
 * Determine if the session and input CSRF tokens match.
 *
 * @param  \Illuminate\Http\Request  $request
 * @return bool
 */
protected function tokensMatch($request)
{
    $token = $this->getTokenFromRequest($request);

    return is_string($request->session()->token()) &&
           is_string($token) &&
           hash_equals($request->session()->token(), $token);
}

/**
 * Get the CSRF token from the request.
 *
 * @param  \Illuminate\Http\Request  $request
 * @return string
 */
protected function getTokenFromRequest($request)
{
    $token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');

    if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
        $token = $this->encrypter->decrypt($header);
    }

    return $token;
}

/**
 * Add the CSRF token to the response cookies.
 *
 * @param  \Illuminate\Http\Request  $request
 * @param  \Symfony\Component\HttpFoundation\Response  $response
 * @return \Symfony\Component\HttpFoundation\Response
 */
protected function addCookieToResponse($request, $response)
{
    $config = config('session');

    $response->headers->setCookie(
        new Cookie(
            'XSRF-TOKEN', $request->session()->token(), $this->availableAt(60 * $config['lifetime']),
            $config['path'], $config['domain'], $config['secure'], false, false, $config['same_site'] ?? null
        )
    );

    return $response;
}

Upvotes: 3

Joyal
Joyal

Reputation: 2693

If you are using Laravel 5.6, do the following at the top of forms to create hidden input field for the CSRF token

  @csrf

Upvotes: 10

madarasz
madarasz

Reputation: 430

With Laravel 5 using Blades templates, it's pretty easy.

If you only want the value of the csrf token, you can generate it by writing:

{{ csrf_token() }}

which generates the token value like this:

7YC0Sxth7AYe4RFSjzaPf2ygLCecJhPbyXhz6vvF

If you are using forms, you can add the following line of code inside the form:

{{ csrf_field() }}

which will generate html like this:

<input type="hidden" name="_token" value="7YC0Sxth7AYe4RFSjzaPf2ygLCecJhblahblah">

Upvotes: 43

hlev
hlev

Reputation: 551

Depends. If the attacker is not MITM, in the sense that they cannot eavesdrop on traffic between your web app and the API server, a single CSRF token for the entire session should be enough.

Assuming you guard sensitive operations on the server-side too (i.e. allow access to resources only to the owner of the resource, e.g. "delete my account", etc.) the token would ensure that the browser making the request is the legitimate, authenticated user's browser. That's all you should worry about, I think.

On the other hand, if the attacker is capable of looking at non-secure traffic between the web app and your API, they may get hold of the CSRF token and your session_id and do evil stuff transparently. In such case granting, using and subsequently discarding a token for each request (POST, or any kind that does sensitive operation) only makes their job a bit more difficult, but you're still doomed.

My 2 cents...

Upvotes: 7

Related Questions