You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
But this code doesn't reflect the CSRF protection behaviour of Ruby on Rails.
We should compare $request->session()->token() with $request->input('_token')and if it doesn't match, we should compare the $request->session()->token() with $request->header('X-CSRF-TOKEN').
For a real world use cases: If on your page you have a <form> cached with an outdated csrf_token().
When you submit the form, the CSRF protection will check matching tokens with the outdated CSRF token then it will thrown an TokenMismatchException.
But the HTTP header X-CSRF-TOKEN sent to the server is good, so we should check matching tokens with it before throwing an exception.
PS: I know my explanations are a bit confusing, just tell me if you want more clarifications.
The text was updated successfully, but these errors were encountered:
The CSRF Protection of Laravel appears to be inspired by the Ruby on Rails one.
But this code doesn't reflect the CSRF protection behaviour of Ruby on Rails.
We should compare
$request->session()->token()
with$request->input('_token')
and if it doesn't match, we should compare the$request->session()->token()
with$request->header('X-CSRF-TOKEN')
.For a real world use cases: If on your page you have a
<form>
cached with an outdatedcsrf_token()
.When you submit the form, the CSRF protection will check matching tokens with the outdated CSRF token then it will thrown an
TokenMismatchException
.But the HTTP header
X-CSRF-TOKEN
sent to the server is good, so we should check matching tokens with it before throwing an exception.PS: I know my explanations are a bit confusing, just tell me if you want more clarifications.
The text was updated successfully, but these errors were encountered: