为什么如果我不在表单末尾(在 Laravel 5 视图中)放置 {{csrf_field()}} 会获得 TokenMismatchException?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/42363757/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why if I don't put a {{csrf_field()}} at the end of a form (in a Laravel 5 view) I obtain a TokenMismatchException?
提问by Ad NAN
I am pretty new to PHPand Laraveland I have the following doubt about the {{csrf_field()}}notation inserted into a <form>.
我很新PHP,Laravel并且我对{{csrf_field()}}插入到<form>.
Into a view I have the following form:
进入视图我有以下形式:
<form method="post" action="/registration">
<div class="form-group">
<label>Nome</label>
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-user"></i></div>
<input type="text" name="name" class="form-control" placeholder="Inserisci il tuo nome">
</div>
</div>
<div class="form-group">
<label>Cognome</label>
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-user"></i></div>
<input type="text" name="surname" class="form-control" placeholder="Inserisci il tuo cognome">
</div>
</div>
<!-- Some other fields -->
{{csrf_field()}}
<button type="submit" class="btn btn-default">Submit</button>
</form>That is handled by this minimialistic controller method:
这是由这种简约的控制器方法处理的:
public function store(Request $request)
{
return $request->all();
}
So if I put the {{csrf_field()}}"statment" before the submit button it works fine and the request is correctly handled by the controller method but if I delete this line it can't works and I obtain a TokenMismatchException.
因此,如果我将{{csrf_field()}}“声明”放在提交按钮之前,它可以正常工作,并且控制器方法可以正确处理请求,但是如果我删除此行,它就无法工作,并且我会获得一个TokenMismatchException.
Why it is so and what exactly represent this {{csrf_field()}}and why have I to use it in a form?
为什么会这样,究竟是什么代表了这一点{{csrf_field()}},为什么我必须以某种形式使用它?
回答by nvisser
Laravel makes it easy to protect your application from cross-site request forgery (CSRF) attacks. Cross-site request forgeries are a type of malicious exploit whereby unauthorized commands are performed on behalf of an authenticated user. Laravel automatically generates a CSRF "token" for each active user session managed by the application. This token is used to verify that the authenticated user is the one actually making the requests to the application. Anytime you define a HTML form in your application, you should include a hidden CSRF token field in the form so that the CSRF protection middleware can validate the request.
Laravel 可以轻松保护您的应用程序免受跨站点请求伪造 (CSRF) 攻击。跨站点请求伪造是一种恶意利用,其中代表经过身份验证的用户执行未经授权的命令。Laravel 会为应用程序管理的每个活动用户会话自动生成一个 CSRF “令牌”。此令牌用于验证经过身份验证的用户是实际向应用程序发出请求的用户。任何时候在应用程序中定义 HTML 表单时,都应该在表单中包含一个隐藏的 CSRF 令牌字段,以便 CSRF 保护中间件可以验证请求。
Please refer to the CSRF Protection documentationfor more information.
有关更多信息,请参阅CSRF 保护文档。
回答by Phillip Elm
CSRF stands for Cross-Site Request Forgery.
CSRF 代表跨站请求伪造。
In this case, Laravel is requiring this field to be sent with the request so that it can verify the request is not a forgery when posted back.
在这种情况下,Laravel 要求将此字段与请求一起发送,以便在回发时验证请求不是伪造的。
A good explanation can be found here: https://stackoverflow.com/a/33829607/1068537
一个很好的解释可以在这里找到:https: //stackoverflow.com/a/33829607/1068537
回答by Ad NAN
The short answer is to prevent cross-site request forgery
简短的回答是防止跨站点请求伪造
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
跨站请求伪造,也称为一键攻击或会话骑行,缩写为 CSRF 或 XSRF,是一种恶意利用网站,从网站信任的用户发送未经授权的命令。 [2] 与利用用户对特定站点的信任的跨站点脚本 (XSS) 不同,CSRF 利用站点对用户浏览器的信任。
More on https://laravel.com/docs/5.4/csrf
更多关于https://laravel.com/docs/5.4/csrf
In plain English, it is used to make sure that the submitted form was generated from the server and it is applied from a user's browser, not a robot or any kind of programmatic agent.
简单来说,它用于确保提交的表单是从服务器生成的,并且是从用户的浏览器应用的,而不是机器人或任何类型的程序代理。
It is very important to handle the CSRF whether you use framework like Laravel or not.
无论您是否使用像 Laravel 这样的框架,处理 CSRF 都非常重要。
