[PHP]-Laravel-csrf token Disable method

Source: Internet
Author: User

Previous article

Reference articles for CSRF attacks and vulnerabilities:

Http://www.cnblogs.com/hyddd/archive/2009/04/09/1432744.html

Laravel default is to turn on the CSRF feature, there are two ways to turn off this feature:

Method One

Open File: app\http\kernel.php

To comment out this line:

' App\http\middleware\verifycsrftoken '

Method Two

Open File: app\http\middleware\verifycsrftoken.php

Modified to:

<?php namespace App\http\middleware; UseClosure; UseIlluminate\foundation\http\middleware\verifycsrftoken asBaseverifier;classVerifycsrftokenextendsBaseverifier {/** * Handle an incoming request. * * @param \illuminate\http\request $request * @param \closure $next * @return Mixed*/     Public functionHandle$request, Closure$next)    {        //use CSRF//return parent::handle ($request, $next); Disable CSRF        return $next($request); }}

There are two types of csrf used, one in HTML code:

<type= "hidden"  name= "_token"  value= "{{ Csrf_token ()}} "/>

Another way is to use cookies.

To use cookies, you need to change the app\http\middleware\verifycsrftoken.php to:

<?php namespace App\http\middleware; UseClosure; UseIlluminate\foundation\http\middleware\verifycsrftoken asBaseverifier;classVerifycsrftokenextendsBaseverifier {/** * Handle an incoming request. * * @param \illuminate\http\request $request * @param \closure $next * @return Mixed*/     Public functionHandle$request, Closure$next)    {        returnParent::addcookietoresponse ($request,$next($request)); }}

Using the cookie method, you can not add this input hidden tag to each page csrf.

Of course, you can also use CSRF for the specified form submission, such as:

<?php namespace App\http\middleware; UseClosure; UseIlluminate\foundation\http\middleware\verifycsrftoken asBaseverifier;classVerifycsrftokenextendsBaseverifier {/** * Handle an incoming request. * * @param \illuminate\http\request $request * @param \closure $next * @return Mixed*/     Public functionHandle$request, Closure$next)    {        //ADD this:        if($request->method () = = ' POST ')        {            return $next($request); }                if($request->method () = = ' GET ' | |$this->tokensmatch ($request))        {            return $next($request); }        Throw Newtokenmismatchexception; }}

Submit a form to post by using CSRF only for Get submission mode, disable CSRF

Modify the cookie name method for CSRF

Usually when using CSRF, a cookie is written to the browser, such as:

To modify this name value, you can open this file: vendor\laravel\framework\src\illuminate\foundation\http\middleware\verifycsrftoken.php

Find "Xsrf-token" and modify it.

Of course, you can also rewrite the Addcookietoresponse (...) in the app\http\middleware\verifycsrftoken.php file. method to do.

In addition, if you need to not use CSRF for the specified page, you can refer to the following article:

http://www.camroncade.com/disable-csrf-for-specific-routes-laravel-5/

[PHP]-Laravel-csrf token Disable method

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.