Solution: 1. Use Laravel to automatically generate a "CSRF Token" for each user Session. This Token can be used to verify whether the logged in user and the person who initiated the request are the same person. If not, the request will fail; 2 , provides a global helper function "csrf_token" to obtain the Token value, just add the token code in the view submission form, the syntax is "<...value php="" echo="">".
The operating environment of this article: Windows 10 system, Laravel version 9, Dell G3 computer.
CSRF is the English abbreviation of Cross-site request forgery;
It is very difficult to avoid CSRF attacks in the Laravel framework Simple:
1. Laravel automatically generates a CSRF Token for each user Session. This Token can be used to verify whether the logged in user and the requester are the same person. If not, the request will fail. (The principle is the same as the verification code.)
2. Laravel provides a global helper function csrf_token to obtain the Token value, so you only need to add the following HTML code to the view submission form to include it in the request. Token:
<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>">
Case: Implement csrf mechanism verification through cases
1. Create two routes, one for display Form (get), and handle requests (post)
Route::get('test6','Home\TestController@test6');Route::post('test7','Home\TestController@test7');
2. Create the required method
public function test6(){ return view('home.test.test6'); } public function test7() { return "请求提交成功"; }
3. Create the required simple form
4. Submission effect (error page)
Conclusion: Through the case just now, it shows that the csrf verification mechanism in laravel is enabled by default.
5. Solve the error problem (how to pass csrf verification)
Solution: bring the token value required for csrf, and pass it to the subsequent method with the request
<form action="/home/test/test7" method="post"> 用户名:<input type="text" name="username"><br> <input type="hidden" name="_token" value="{{csrf_token()}}"> {{csrf_field()}} <input type="submit" value="提交"></form>
Simplification of the csrf_token method : {{csrf_field()}}
Specific expression:
The difference between the two:
Csrf_token only outputs token Value
Csrf_field outputs an entire input hidden field
How to choose when using it later: In most cases, you can choose according to the situation. However, there is a situation where the developer does not have the right to choose and must use csrf_token. In this case, the asynchronous form submission method is used.
Not all requests need to avoid CSRF attacks, such as requests to third-party APIs to obtain data.
You can set exceptions by adding the request URLs to be excluded to the $except property array in the VerifyCsrfToken (app/Http/Middleware/VerifyCsrfToken.php) middleware:
Set exceptions by writing configuration:
Single Route exclusion writing method
'home.test.test6',
Multiple elements are separated by "," and follow the array writing method.
'home.test.test6','home.test.test7'
If you need to exclude all routes and use csrf, you can write:
'*'
[Related recommendations: laravel video tutorial]
The above is the detailed content of Solution to csrf attack in laravel. For more information, please follow other related articles on the PHP Chinese website!