Reputation: 663
How is Laravel 8 CSRF token actually safe?
The most voted answer in this question (https://security.stackexchange.com/questions/19128/csrf-cookie-vs-session-based-tokens) states
If you put your token in a cookie, it will be send to the server automatically, just as session cookie, so you don't get any additional protection from that.
And Laravel seems to behave exactly as stated above. Here's the screenshot I have tested.
I am not sure whether I am doing some settings wrong or misunderstood about CSRF, but storing an extra CSRF cookie in addition to the session cookie really does not seem to be able to give any extra protection.
Any help would be appreciated.
Upvotes: 0
Views: 1518
Answers (1)
Reputation: 960
Not always.
cookie with SameSite value of None will be always sent.
XSRF-TOKEN cookie has SameSite=Lax so it will be only sent at the same website.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#none
SameSite=NoneCookies will be sent in all contexts, i.e. in responses to both first-party and cross-site requests. If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked).
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#lax
SameSite=LaxCookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e., when following a link).
Upvotes: 1
Related Questions
- How to disable CSRF Token in Laravel and why we have to disable it?
- Laravel CSRF Token
- What is Laravel's CSRF Token Pattern?
- Laravel CSRF protection
- Does Laravel sets a Cookie for CSRF token
- laravel - CSRF token always changes
- How specifically does Laravel build and check a CSRF token?
- Laravel 4 - CSRF token never changes
- Laravel csrf_token issue
- Possible cause of CSRF token mismatching in laravel