[PHP]-Laravel-csrf token Disable method

Previous article

Reference articles for CSRF attacks and vulnerabilities:

Http://www.cnblogs.com/hyddd/archive/2009/04/09/1432744.html

Laravel default is to turn on the CSRF feature, there are two ways to turn off this feature:

Method One

Open File: app\http\kernel.php

To comment out this line:

' App\http\middleware\verifycsrftoken '

Method Two

Open File: app\http\middleware\verifycsrftoken.php

Modified to:

<?php namespace App\http\middleware; UseClosure; UseIlluminate\foundation\http\middleware\verifycsrftoken asBaseverifier;classVerifycsrftokenextendsBaseverifier {/** * Handle an incoming request. * * @param \illuminate\http\request $request * @param \closure $next * @return Mixed*/     Public functionHandle$request, Closure$next)    {        //use CSRF//return parent::handle ($request, $next); Disable CSRF        return $next($request); }}

There are two types of csrf used, one in HTML code:

<type= "hidden"  name= "_token"  value= "{{ Csrf_token ()}} "/>

Another way is to use cookies.

To use cookies, you need to change the app\http\middleware\verifycsrftoken.php to:

<?php namespace App\http\middleware; UseClosure; UseIlluminate\foundation\http\middleware\verifycsrftoken asBaseverifier;classVerifycsrftokenextendsBaseverifier {/** * Handle an incoming request. * * @param \illuminate\http\request $request * @param \closure $next * @return Mixed*/     Public functionHandle$request, Closure$next)    {        returnParent::addcookietoresponse ($request,$next($request)); }}

Using the cookie method, you can not add this input hidden tag to each page csrf.

Of course, you can also use CSRF for the specified form submission, such as:

<?php namespace App\http\middleware; UseClosure; UseIlluminate\foundation\http\middleware\verifycsrftoken asBaseverifier;classVerifycsrftokenextendsBaseverifier {/** * Handle an incoming request. * * @param \illuminate\http\request $request * @param \closure $next * @return Mixed*/     Public functionHandle$request, Closure$next)    {        //ADD this:        if($request->method () = = ' POST ')        {            return $next($request); }                if($request->method () = = ' GET ' | |$this->tokensmatch ($request))        {            return $next($request); }        Throw Newtokenmismatchexception; }}

Submit a form to post by using CSRF only for Get submission mode, disable CSRF

Modify the cookie name method for CSRF

Usually when using CSRF, a cookie is written to the browser, such as:

To modify this name value, you can open this file: vendor\laravel\framework\src\illuminate\foundation\http\middleware\verifycsrftoken.php

Find "Xsrf-token" and modify it.

Of course, you can also rewrite the Addcookietoresponse (...) in the app\http\middleware\verifycsrftoken.php file. method to do.

In addition, if you need to not use CSRF for the specified page, you can refer to the following article:

http://www.camroncade.com/disable-csrf-for-specific-routes-laravel-5/

[PHP]-Laravel-csrf token Disable method