Previous article
Reference articles for CSRF attacks and vulnerabilities:
Http://www.cnblogs.com/hyddd/archive/2009/04/09/1432744.html
Laravel default is to turn on the CSRF feature, there are two ways to turn off this feature:
Method One
Open File: app\http\kernel.php
To comment out this line:
' App\http\middleware\verifycsrftoken '
Method Two
Open File: app\http\middleware\verifycsrftoken.php
Modified to:
<?php namespace App\http\middleware; UseClosure; UseIlluminate\foundation\http\middleware\verifycsrftoken asBaseverifier;classVerifycsrftokenextendsBaseverifier {/** * Handle an incoming request. * * @param \illuminate\http\request $request * @param \closure $next * @return Mixed*/ Public functionHandle$request, Closure$next) { //use CSRF//return parent::handle ($request, $next); Disable CSRF return $next($request); }}
There are two types of csrf used, one in HTML code:
<type= "hidden" name= "_token" value= "{{ Csrf_token ()}} "/>
Another way is to use cookies.
To use cookies, you need to change the app\http\middleware\verifycsrftoken.php to:
<?php namespace App\http\middleware; UseClosure; UseIlluminate\foundation\http\middleware\verifycsrftoken asBaseverifier;classVerifycsrftokenextendsBaseverifier {/** * Handle an incoming request. * * @param \illuminate\http\request $request * @param \closure $next * @return Mixed*/ Public functionHandle$request, Closure$next) { returnParent::addcookietoresponse ($request,$next($request)); }}
Using the cookie method, you can not add this input hidden tag to each page csrf.
Of course, you can also use CSRF for the specified form submission, such as:
<?php namespace App\http\middleware; UseClosure; UseIlluminate\foundation\http\middleware\verifycsrftoken asBaseverifier;classVerifycsrftokenextendsBaseverifier {/** * Handle an incoming request. * * @param \illuminate\http\request $request * @param \closure $next * @return Mixed*/ Public functionHandle$request, Closure$next) { //ADD this: if($request->method () = = ' POST ') { return $next($request); } if($request->method () = = ' GET ' | |$this->tokensmatch ($request)) { return $next($request); } Throw Newtokenmismatchexception; }}
Submit a form to post by using CSRF only for Get submission mode, disable CSRF
Modify the cookie name method for CSRF
Usually when using CSRF, a cookie is written to the browser, such as:
To modify this name value, you can open this file: vendor\laravel\framework\src\illuminate\foundation\http\middleware\verifycsrftoken.php
Find "Xsrf-token" and modify it.
Of course, you can also rewrite the Addcookietoresponse (...) in the app\http\middleware\verifycsrftoken.php file. method to do.
In addition, if you need to not use CSRF for the specified page, you can refer to the following article:
http://www.camroncade.com/disable-csrf-for-specific-routes-laravel-5/
[PHP]-Laravel-csrf token Disable method