"."/> ".">
search
HomePHP FrameworkLaravelSolution to csrf attack in laravel

Solution: 1. Use Laravel to automatically generate a "CSRF Token" for each user Session. This Token can be used to verify whether the logged in user and the person who initiated the request are the same person. If not, the request will fail; 2 , provides a global helper function "csrf_token" to obtain the Token value, just add the token code in the view submission form, the syntax is "<...value php="" echo="">".

Solution to csrf attack in laravel

The operating environment of this article: Windows 10 system, Laravel version 9, Dell G3 computer.

Solution to csrf attacks in laravel

CSRF is the English abbreviation of Cross-site request forgery;

It is very difficult to avoid CSRF attacks in the Laravel framework Simple:

1. Laravel automatically generates a CSRF Token for each user Session. This Token can be used to verify whether the logged in user and the requester are the same person. If not, the request will fail. (The principle is the same as the verification code.)

2. Laravel provides a global helper function csrf_token to obtain the Token value, so you only need to add the following HTML code to the view submission form to include it in the request. Token:

<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>">

How to avoid CSRF attacks in Laravel

Case: Implement csrf mechanism verification through cases
1. Create two routes, one for display Form (get), and handle requests (post)

Route::get('test6','Home\TestController@test6');Route::post('test7','Home\TestController@test7');

2. Create the required method

	 public function test6(){
        return view('home.test.test6');
     }
     public function test7()
     {
         return "请求提交成功";
     }

3. Create the required simple form

Solution to csrf attack in laravel

4. Submission effect (error page)

Solution to csrf attack in laravel

Conclusion: Through the case just now, it shows that the csrf verification mechanism in laravel is enabled by default.

5. Solve the error problem (how to pass csrf verification)
Solution: bring the token value required for csrf, and pass it to the subsequent method with the request


    用户名:
         {{csrf_field()}}     

Simplification of the csrf_token method : {{csrf_field()}}

Specific expression:

Solution to csrf attack in laravel

The difference between the two:
Csrf_token only outputs token Value
Csrf_field outputs an entire input hidden field

How to choose when using it later: In most cases, you can choose according to the situation. However, there is a situation where the developer does not have the right to choose and must use csrf_token. In this case, the asynchronous form submission method is used.

Exclude exception routing from CSRF verification

Not all requests need to avoid CSRF attacks, such as requests to third-party APIs to obtain data.
You can set exceptions by adding the request URLs to be excluded to the $except property array in the VerifyCsrfToken (app/Http/Middleware/VerifyCsrfToken.php) middleware:

Set exceptions by writing configuration:
Single Route exclusion writing method

 'home.test.test6',

Multiple elements are separated by "," and follow the array writing method.

'home.test.test6','home.test.test7'

If you need to exclude all routes and use csrf, you can write:

'*'

[Related recommendations: laravel video tutorial]

The above is the detailed content of Solution to csrf attack in laravel. For more information, please follow other related articles on the PHP Chinese website!

Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Beyond the Zoom Call: Creative Strategies for Connecting Distributed TeamsBeyond the Zoom Call: Creative Strategies for Connecting Distributed TeamsApr 26, 2025 am 12:24 AM

ToenhanceengagementandcohesionamongdistributedteamsbeyondZoom,implementthesestrategies:1)Organizevirtualcoffeebreaksforinformalchats,2)UseasynchronoustoolslikeSlackfornon-workdiscussions,3)Introducegamificationwithteamgamesorchallenges,and4)Encourage

What are the breaking changes in the latest Laravel version?What are the breaking changes in the latest Laravel version?Apr 26, 2025 am 12:23 AM

Laravel10introducesseveralbreakingchanges:1)ItrequiresPHP8.1orhigher,2)TheRouteServiceProvidernowusesabootmethodforloadingroutes,3)ThewithTimestamps()methodonEloquentrelationshipsisdeprecated,and4)TheRequestclassnowpreferstherules()methodforvalidatio

The Productivity Paradox: Maintaining Focus and Motivation in Remote SettingsThe Productivity Paradox: Maintaining Focus and Motivation in Remote SettingsApr 26, 2025 am 12:17 AM

Tomaintainfocusandmotivationinremotework,createastructuredenvironment,managedigitaldistractions,fostermotivationthroughsocialinteractionsandgoalsetting,maintainwork-lifebalance,anduseappropriatetechnology.1)Setupadedicatedworkspaceandsticktoaroutine.

Building Trust from Afar: Fostering Collaboration in Distributed EnvironmentsBuilding Trust from Afar: Fostering Collaboration in Distributed EnvironmentsApr 26, 2025 am 12:13 AM

Tofostercollaborationandtrustinremoteteams,implementthesestrategies:1)Establishregular,structuredcommunicationwithpersonalcheck-ins,2)Usecollaborativetoolsfortransparency,3)Recognizeandcelebrateachievements,and4)Fosteracultureoftrustandadaptability.

What are the key features of the latest Laravel version?What are the key features of the latest Laravel version?Apr 26, 2025 am 12:01 AM

Laravel's latest version of the main features include: 1. LaravelOctane improves application performance, 2. Improved model factory support relationships and state definitions, 3. Enhanced Artisan commands, 4. Improved error handling, 5. New Eloquent accessors and modifiers. These features significantly improve development efficiency and application performance, but need to be used with caution to avoid potential problems.

The Illusion of Inclusion: Addressing Isolation and Loneliness in Remote WorkThe Illusion of Inclusion: Addressing Isolation and Loneliness in Remote WorkApr 25, 2025 am 12:28 AM

Tocombatisolationandlonelinessinremotework,companiesshouldimplementregular,meaningfulinteractions,provideequalgrowthopportunities,andusetechnologyeffectively.1)Fostergenuineconnectionsthroughvirtualcoffeebreaksandpersonalsharing.2)Ensureremoteworkers

Laravel for Full-Stack Development: A Comprehensive GuideLaravel for Full-Stack Development: A Comprehensive GuideApr 25, 2025 am 12:27 AM

Laravelispopularforfull-stackdevelopmentbecauseitoffersaseamlessblendofbackendpowerandfrontendflexibility.1)Itsbackendcapabilities,likeEloquentORM,simplifydatabaseinteractions.2)TheBladetemplatingengineallowsforclean,dynamicHTMLtemplates.3)LaravelMix

Video Conferencing Showdown: Choosing the Right Platform for Remote MeetingsVideo Conferencing Showdown: Choosing the Right Platform for Remote MeetingsApr 25, 2025 am 12:26 AM

Key factors in choosing a video conferencing platform include user interface, security, and functionality. 1) The user interface should be intuitive, such as Zoom. 2) Security needs to be paid attention to, and Microsoft Teams provides end-to-end encryption. 3) Functions need to match requirements, GoogleMeet is suitable for short meetings, and CiscoWebex provides advanced collaboration tools.

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

SecLists

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

VSCode Windows 64-bit Download

VSCode Windows 64-bit Download

A free and powerful IDE editor launched by Microsoft

MantisBT

MantisBT

Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor