Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update VerifyCsrfToken.php #7373

Closed
wants to merge 1 commit into from
Closed

Update VerifyCsrfToken.php #7373

wants to merge 1 commit into from

Conversation

melisozmen
Copy link

Never sure :) but after I delete $this->encrypter->decrypt part from tokensMatch my global csrf middleware works fine..
is it ok??
(I am using 5.0.2)

@melisozmen
Update VerifyCsrfToken.php
75e1591 
Never sure :) but after I delete $this->encrypter->decrypt part from tokensMatch my global csrf middleware works fine..
is it ok??
@barryvdh
Copy link
Contributor

No

See #6541 #7287 #7288

@melisozmen
Copy link
Author

Finally I solved all my problems..

after all these updates there is no need to put _token in every ajax request or as hidden form element for token..

For post ajax requests there should be the code below in your global.js

$(function () {
    $.ajaxSetup({
                    headers: {
                        'X-XSRF-TOKEN': $('meta[name="_token"]').attr('content')
                    }
                });
});

put _token meta into your layouts

  <meta name="_token" content="{{ csrf_token() }}"/>
  1. update App\Http\Middleware\VerifyCsrfToken.php middleware
   <?php namespace App\Http\Middleware;

use Closure;
use Symfony\Component\Security\Core\Util\StringUtils;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier {

    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request $request
     * @param  \Closure $next
     * @return mixed
     */
    public function handle($request, Closure $next){

        return parent::handle($request, $next);
    }

    function tokensMatch($request)
    {
        $token = $request->session()->token();

        $header = $request->header('x-xsrf-token');//in keys case sensitivity is important!!!!

        return StringUtils::equals($token, $request->input('_token')) ||
        ($header && StringUtils::equals($token, $header)) ;

    }


}

@melisozmen melisozmen closed this Feb 10, 2015
@RomainLanz
Copy link

Rails use the same method to handle the CSRFToken. Maybe better to change the default template to have a token already inside.

@barryvdh barryvdh mentioned this pull request Feb 20, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@melisozmen @barryvdh @RomainLanz