Laravel middleware: used to prevent cross-site request forgery (CSRF) attacks

WBOY
Release: 2023-07-30 16:28:01
Original
748 people have browsed it

Laravel middleware: used to prevent cross-site request forgery (CSRF) attacks

Overview:
In Internet applications, cross-site request forgery (CSRF) attacks are a common network security threat . CSRF attacks forge malicious requests to allow users to perform illegal operations without their knowledge, such as changing passwords, transferring funds, etc. To prevent this kind of attack, Laravel provides a built-in middleware that can easily protect applications from CSRF attacks.

Usage of CSRF middleware:
In Laravel, using CSRF middleware is very simple. First, we need to register the middleware in the application's routing file. Open theapp/Http/Kernel.phpfile, find thewebmiddleware group, and add theVerifyCsrfTokenmiddleware as follows:

protected $middlewareGroups = [ 'web' => [ // 其他中间件... AppHttpMiddlewareVerifyCsrfToken::class, ], // 其他中间件组... ];
Copy after login

When the middleware is registered, Laravel will automatically generate a token for each request and store it in the session. Each time a POST, PUT, or DELETE request is sent, Laravel will compare the token in the request with the token stored in the session. If they are inconsistent, the request will be rejected and an error will be returned.

Generate CSRF token:
Laravel provides a globalcsrf_tokenhelper function for generating a CSRF token in the view. In an HTML form, we can protect the form from CSRF attacks by adding a hidden input field in the

tag and setting the value of the input field to the CSRF token.

 @csrf   
Copy after login

In the above example, we used the@csrfdirective to generate a hidden CSRF token input field. This instruction will automatically insert a hiddentag in the generated HTML, with the name_tokenand the value being CSRF token.

If you use Laravel's built-in form helper function (such asForm::open), you do not need to manually add the CSRF token input field, Laravel will automatically generate it for you.

Manually verify CSRF token:
In addition to automatic verification, Laravel also provides a method to manually verify CSRF token so that we can complete more fine-grained verification in the controller or routing callback. We can use thecsrf_tokenauxiliary function to obtain the CSRF token of the current request, and obtain the token stored in the session by calling thesessionmethod of theRequestobject.

The following is an example of manually verifying the CSRF token in the controller:

input('_token'); if (!hash_equals(Session::token(), $token)) { // CSRF token验证失败 abort(403, 'Unauthorized action.'); } // CSRF token验证通过,继续处理操作 // ... } }
Copy after login

In the above example, we used thehash_equalsfunction to compare the token in the request Whether it is consistent with the token in the session to ensure the security of CSRF token verification.

Summary:
Laravel's CSRF middleware provides a simple yet powerful way to prevent cross-site request forgery attacks. By automatically generating and validating CSRF tokens, we can effectively protect our applications from malicious requests. Whether it is automatic verification or manual verification, Laravel provides us with flexible and reliable options to secure our applications.

The above is the detailed content of Laravel middleware: used to prevent cross-site request forgery (CSRF) attacks. For more information, please follow other related articles on the PHP Chinese website!

source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!