Home > PHP Framework > Laravel > body text

Solution to csrf attack in laravel

WBOY
Release: 2022-06-21 16:07:53
Original
3528 people have browsed it

Solution: 1. Use Laravel to automatically generate a "CSRF Token" for each user Session. This Token can be used to verify whether the logged in user and the person who initiated the request are the same person. If not, the request will fail; 2 , provides a global helper function "csrf_token" to obtain the Token value, just add the token code in the view submission form, the syntax is "<...value php="" echo="">".

Solution to csrf attack in laravel

The operating environment of this article: Windows 10 system, Laravel version 9, Dell G3 computer.

Solution to csrf attacks in laravel

CSRF is the English abbreviation of Cross-site request forgery;

It is very difficult to avoid CSRF attacks in the Laravel framework Simple:

1. Laravel automatically generates a CSRF Token for each user Session. This Token can be used to verify whether the logged in user and the requester are the same person. If not, the request will fail. (The principle is the same as the verification code.)

2. Laravel provides a global helper function csrf_token to obtain the Token value, so you only need to add the following HTML code to the view submission form to include it in the request. Token:

<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>">
Copy after login

How to avoid CSRF attacks in Laravel

Case: Implement csrf mechanism verification through cases
1. Create two routes, one for display Form (get), and handle requests (post)

Route::get(&#39;test6&#39;,&#39;Home\TestController@test6&#39;);Route::post(&#39;test7&#39;,&#39;Home\TestController@test7&#39;);
Copy after login

2. Create the required method

	 public function test6(){
        return view(&#39;home.test.test6&#39;);
     }
     public function test7()
     {
         return "请求提交成功";
     }
Copy after login

3. Create the required simple form

Solution to csrf attack in laravel

4. Submission effect (error page)

Solution to csrf attack in laravel

Conclusion: Through the case just now, it shows that the csrf verification mechanism in laravel is enabled by default.

5. Solve the error problem (how to pass csrf verification)
Solution: bring the token value required for csrf, and pass it to the subsequent method with the request

<form action="/home/test/test7" method="post">
    用户名:<input type="text" name="username"><br>
    <input type="hidden" name="_token" value="{{csrf_token()}}">
    {{csrf_field()}}
    <input type="submit" value="提交"></form>
Copy after login

Simplification of the csrf_token method : {{csrf_field()}}

Specific expression:

Solution to csrf attack in laravel

The difference between the two:
Csrf_token only outputs token Value
Csrf_field outputs an entire input hidden field

How to choose when using it later: In most cases, you can choose according to the situation. However, there is a situation where the developer does not have the right to choose and must use csrf_token. In this case, the asynchronous form submission method is used.

Exclude exception routing from CSRF verification

Not all requests need to avoid CSRF attacks, such as requests to third-party APIs to obtain data.
You can set exceptions by adding the request URLs to be excluded to the $except property array in the VerifyCsrfToken (app/Http/Middleware/VerifyCsrfToken.php) middleware:

Set exceptions by writing configuration:
Single Route exclusion writing method

 &#39;home.test.test6&#39;,
Copy after login

Multiple elements are separated by "," and follow the array writing method.

&#39;home.test.test6&#39;,&#39;home.test.test7&#39;
Copy after login

If you need to exclude all routes and use csrf, you can write:

&#39;*&#39;
Copy after login

[Related recommendations: laravel video tutorial]

The above is the detailed content of Solution to csrf attack in laravel. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template