Laravel middleware: used to prevent cross-site request forgery (CSRF) attacks

Laravel middleware: used to prevent cross-site request forgery (CSRF) attacks

Overview:
In Internet applications, cross-site request forgery (CSRF) attacks are a common network security threat . CSRF attacks forge malicious requests to allow users to perform illegal operations without their knowledge, such as changing passwords, transferring funds, etc. To prevent this kind of attack, Laravel provides a built-in middleware that can easily protect applications from CSRF attacks.

Usage of CSRF middleware:
In Laravel, using CSRF middleware is very simple. First, we need to register the middleware in the application's routing file. Open the app/Http/Kernel.php file, find the web middleware group, and add the VerifyCsrfToken middleware as follows:

protected $middlewareGroups = [
    'web' => [
        // 其他中间件...
        AppHttpMiddlewareVerifyCsrfToken::class,
    ],
    // 其他中间件组...
];

When the middleware is registered, Laravel will automatically generate a token for each request and store it in the session. Each time a POST, PUT, or DELETE request is sent, Laravel will compare the token in the request with the token stored in the session. If they are inconsistent, the request will be rejected and an error will be returned.

Generate CSRF token:
Laravel provides a global csrf_token helper function for generating a CSRF token in the view. In an HTML form, we can protect the form from CSRF attacks by adding a hidden input field in the <form> tag and setting the value of the input field to the CSRF token.

<form method="POST" action="/submit">
    @csrf
    <!-- 其他表单字段... -->
    <button type="submit">提交</button>
</form>

In the above example, we used the @csrf directive to generate a hidden CSRF token input field. This instruction will automatically insert a hidden <input> tag in the generated HTML, with the name _token and the value being CSRF token.

If you use Laravel's built-in form helper function (such as Form::open), you do not need to manually add the CSRF token input field, Laravel will automatically generate it for you.

Manually verify CSRF token:
In addition to automatic verification, Laravel also provides a method to manually verify CSRF token so that we can complete more fine-grained verification in the controller or routing callback. We can use the csrf_token auxiliary function to obtain the CSRF token of the current request, and obtain the token stored in the session by calling the session method of the Request object.

The following is an example of manually verifying the CSRF token in the controller:

<?php

namespace AppHttpControllers;

use IlluminateHttpRequest;
use IlluminateSupportFacadesSession;

class UserController extends Controller
{
    public function updateProfile(Request $request)
    {
        $token = $request->input('_token');
        if (!hash_equals(Session::token(), $token)) {
            // CSRF token验证失败
            abort(403, 'Unauthorized action.');
        }

        // CSRF token验证通过，继续处理操作
        // ...
    }
}

In the above example, we used the hash_equals function to compare the token in the request Whether it is consistent with the token in the session to ensure the security of CSRF token verification.

Summary:
Laravel's CSRF middleware provides a simple yet powerful way to prevent cross-site request forgery attacks. By automatically generating and validating CSRF tokens, we can effectively protect our applications from malicious requests. Whether it is automatic verification or manual verification, Laravel provides us with flexible and reliable options to secure our applications.

The above is the detailed content of Laravel middleware: used to prevent cross-site request forgery (CSRF) attacks. For more information, please follow other related articles on the PHP Chinese website!