Geek Answers Handbook

LSR Protection

I know what a CSRF attack is, and I read the documentation about it, but it's hard for me to understand how CSRF protection works in depth, and I have some general questions that I could not find.

The documentation says that Laravel automatically generates a token for

... each active user session managed by the application.

  • Where does it create the token (what part of the code runs it)?
  • Where is the marker stored after creation, in a cookie? In session? How can I extract and see what has been saved? Is this all actually managed by session.php ?
  • What does this mean when I reload the page, is the token the same as session.php has 120 minutes default life?
  • What happens with this cookie when I go to the subdomain handled by the same application if I set the domain property to "." . env('APP_URL') "." . env('APP_URL') "." . env('APP_URL') ?

So, as soon as the token was created and stored somewhere when you make the request, I have to provide the csrf_token() hidden property in the form or generate it as a meta field and redirect it to my JS file if I execute an AJAX request.

  1. So what happens at a low level when I really make a request? The request generates csrf_token() , Laravel encrypts the cookie, Laravel checks if the cookie sent is the same as the cookie in the session. If yes, does that mean the request is valid, if not, throw a TokenMissmatchException ?

  2. Does this mean that every request during the lifetime of the cookie will have the same token?

  3. Does Laravel encrypt request and response files differently? If I exclude the token from cookie encryption in the EncryptCookies class, I get the same token, but when I leave it, the hashes are different.

  4. How is providing a _token in request data different from a forwarding token as an X-CSRF-TOKEN ? How does Laravel confirm them if I see them unencrypted? Are they encrypted after the request?

+7
php cookies csrf laravel token
source share
1 answer
  • Where does it create the token (what part of the code runs it)?

Going through the helpers file

 /vendor/laravel/framework/src/Illuminate/Foundation/helpers.php

which had the definition of the helper method csrf_token() , which calls the token method on

 /vendor/laravel/framework/src/Illuminate/Session/Store.php

and if you check start() , which calls regenerateToken() , if _token not been set, it will save a random 40-digit string for the session with the _token key

 /** * Regenerate the CSRF token value. * * @return void */ public function regenerateToken() { $this->put('_token', Str::random(40)); }
  1. Where is the marker stored after creation, in a cookie? In session? How can I extract and see what has been saved? Is this all actually controlled by session.php?

The token is stored in the session, it can be retrieved using session('_token') . Session expiration time is controlled in session.php using

 'lifetime' => env('SESSION_LIFETIME', 120), 'expire_on_close' => false,
  1. What does this mean when I reload the page, is the token the same as session.php has 120 minutes default life?

If you /vendor/laravel/framework/src/Illuminate/Session/Store.php start() in /vendor/laravel/framework/src/Illuminate/Session/Store.php

 /** * Start the session, reading the data from a handler. * * @return bool */ public function start() { $this->loadSession(); if (! $this->has('_token')) { $this->regenerateToken(); } return $this->started = true; }

the token is restored if the session does not have _token . So _token will be the same until the session ends

+1
source share

More articles:


All Articles