This mistake is just learning laravel when met, just did not start blogging, has not been recorded, this afternoon again met this problem, while nothing, hurriedly summed up. Why did you report this mistake?
A: This is due to the Csrf_token protection middleware with laravel framework. This middleware is located in the/app/middleware/vrifycsrftoken.php. The middleware function is to filter post requests.
Laravel automatically generates a CSRF Token for each user session, which can be used to verify that both the logged-on user and the initiating requester are the same person, and if not, the request fails. Laravel provides a global help function csrf_token (stored locally in D:\www\laravel5.1\vendor\laravel\framework\src\Illuminate\Foundation\ helpers.php) to get the token value. second, what is CSRF protection
CSRF (Cross-site request forgery) cross-station requests for forgery, also known as "one click Attack" or Session riding, usually abbreviated as CSRF or XSRF, is a malicious use of the site. Although it sounds like Cross-site scripting (XSS), it is very different from XSS, which uses trusted users within the site, while CSRF uses trusted Web sites to disguise requests from trusted users. Compared to XSS attacks, csrf attacks are often less prevalent (and therefore very scarce resources to guard against them) and are difficult to guard against, so they are considered more dangerous than XSS.
From our programmer's point of view, please refer to this link below:
Http://www.cnblogs.com/hyddd/archive/2009/04/09/1432744.html Three, if this error is avoided.
1, in the post way to submit the form, plus laravel with the global help function Csrf_token.
<input type= "hidden" name= _token "value=" <?php Echo Csrf_token ();?> ">
This code means that when the form is submitted, it will automatically bring the value of the laravel generated Csrf_token (), and then when access to the route, Laravel will judge the value, failure is error: Tokenmismatchexception, success is normal access routes.
2, if the Ajax POST request does not submit form, the form, at this time we can write some properties in the Meta csrf Protection of Venus.
In Ajax, we need to add the header attribute:
$.ajax {
headers: {
' X-csrf-token ': $ (' meta[name= ' csrf-token '] '). attr (' content ')
},
URL: ' {{URL (' /rsa_post ')}} ",
type:" Post ",
DataType:" JSON ",
In this way, we can access the route correctly.
Both of the above methods I have tried, is absolutely no problem, can effectively avoid mistakes. Iv. When we do not want to enable the CSRF protection of the framework itself
Enter: laravel/app/middleware/verifycsrftoken.php
1, find the CSRF middleware, and then you can follow my code to modify
Public function handle ($request, Closure $next)
{
//Use CSRF return
parent::handle ($request, $next);
Disables the csrf
//return $next ($request);
When using CSRF, select the code above. When disabled, select the following code.
2, sometimes we need both to open csrf protection, but also need some features of the POST request without Csrf_token (), how to do.
A: The Laravel framework provides us with a special attribute, as follows:
Class Verifycsrftoken extends Baseverifier {/** * URIs that should is excluded from
CSRF verification.
*
* @var Array * */
protected $except = [
//
' upload ',
' rsa_post ',
];
/* Public function handle ($request, Closure $next)
{
//Use CSRF return
parent::handle ($request, $ Next);
Disables the csrf
//return $next ($request);
*/
}
The meaning of this code is to use except for routing filtering. In our except to do routing filtering. In our except is the name of the route we do not want to be protected. The ' upload ' and ' rsa_post ' here are the routes I need to post to access. You can try it on your own, after testing, this approach is completely OK. v. Laravel to achieve CSRF protection source code analysis.
1, source code location:
From the code in the middleware, Laravel is protected by the handle () method of the middleware. Students with the IDE can track the function directly. Students without the IDE editor can access the source code through a certain path.
Path: laravel/vendor/laravel/framework/src/illuminate/foundation/http/middleware/verifycrsftoken.php
The source code is as follows:
Public function handle ($request, Closure $next)
{
if (
$this->isreading ($request) | |
$this->runningunittests () | |
$this->shouldpassthrough ($request) | |
$this->tokensmatch ($request)
) {return
$this->addcookietoresponse ($request, $next ($request));
throw new Tokenmismatchexception;
}
Here we can according to the source of several methods to understand the Laravel protection mechanism
2, Source analysis:
1 First Laravel Open the session will generate a token value and stored in a session (Illuminate\session\store.php 90th Line Start method), the corresponding source code is as follows:
The public Function start ()
{
//Read session
$this->loadsession ();
if (! $this->has (' _token ')) {
$this->regeneratetoken ();
}
return $this->started = true;
}
2) then focus on the analysis of Verifytoken middleware handle method, the method first through the Isreading method to determine the request, if the request method is head, get, options one of them, do not do CSRF validation;
3) The Shouldpassthrough method is used to judge whether the request route is excluded in the $excpet attribute array, and if the exclusion is not verified;
4 about this runningunittests () method, I do not quite understand what this is. Later through Baidu, the general knowledge of the function is to detect the operation of the Laravel project environment. If the ' CLI ' starts, it is normal.
5 Finally, the Tokensmatch method is used to determine whether the CSRF token value in the request parameter is equal to the token value in the session, if the equality is validated, otherwise the tokenmismatchexception exception is thrown.
The corresponding source code is as follows:
Public function handle ($request, Closure $next)
{
if ($this->isreading ($request) | | $this-> Shouldpassthrough ($request) | | $this->tokensmatch ($request)) {return
$this->addcookietoresponse ($request, $next ($request));
throw new Tokenmismatchexception;
}
These are the contents of Laravel about CSRF protection. Really do not understand the time to see the source is the King Ah.
End