为什么 Laravel 4 CSRF 令牌不起作用?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18379954/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why Laravel 4 CSRF token is not working?
提问by lkartono
I'm actually playing around with Laravel 4. Right now I'm implemented the CSRF token security on form post.
我实际上在玩 Laravel 4。现在我在表单发布上实现了 CSRF 令牌安全性。
The problem is that, this is not actually working in the sense that the token generated in the session Session::token()is always the same so when I try to re-submit a form or even post a form from another server, the security check is not working Session::token() != Input::get('_token')(filters.php)
问题是,从会话中生成的令牌Session::token()始终相同的意义上说,这实际上并不起作用,因此当我尝试重新提交表单甚至从另一台服务器发布表单时,安全检查不起作用Session::token() != Input::get('_token')(过滤器.php)
Anyone already faced this issue?
有人已经遇到过这个问题吗?
EDIT :
Ok I found the explanation of this. The token is actually different for each machine/session. It makes more sense now :)
Thanks to everyone for your help
编辑:
好的,我找到了对此的解释。每个机器/会话的令牌实际上是不同的。现在更有意义了 :) 感谢大家的帮助
采纳答案by Dries Marien
Inside the form you have to create the token like this:
在表单中,您必须像这样创建令牌:
<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>">
After that the token will be sent with the input. So when you receive the input you have to check the token like this:
之后,令牌将与输入一起发送。因此,当您收到输入时,您必须像这样检查令牌:
Route::post('register', array('before' => 'csrf', function()
{
return 'You gave a valid CSRF token!';
}));
This way you will place a filter before the route is accessed that checks the CSRF token.
通过这种方式,您将在访问路由之前放置一个过滤器来检查 CSRF 令牌。
Got this from the Laravel documentation right here
从这里的 Laravel 文档中得到这个
回答by Trying Tobemyself
when the form is submitted, after processing the form you should change the CSRF token like Session::put('_token', md5(microtime()));this will protect from form re-submission.. for more info you can see thisand this
提交表单时,在处理表单后,您应该更改 CSRF 令牌,这样Session::put('_token', md5(microtime()));可以防止表单重新提交.. 有关更多信息,您可以看到这个和这个
回答by user2042930
I use the built-in regenerateToken function this way in my app/filter.php:
我在 app/filter.php 中以这种方式使用内置的 regenerateToken 函数:
Route::filter('csrf', function()
{
if (Session::token() != Input::get('_token'))
{
Session::regenerateToken();
return *Redirect / Exception*
}
Session::regenerateToken();
});
Another note when you redirect with input!
使用输入重定向时的另一个注意事项!
In laravel 4 the token is generated when you are using {{ Form::open(...) }} this way:
在 Laravel 4 中,当您以这种方式使用 {{ Form::open(...) }} 时会生成令牌:
public function token()
{
return $this->hidden('_token', $this->csrfToken);
}
So it uses a hidden input, which will set its value from Input::old function if it exists.
所以它使用一个隐藏的输入,如果它存在,它将从 Input::old 函数设置它的值。
To prevent this you'll need to use Input::except('_token') if you wouldn't like to make a form with an already outdated token like this:
为了防止这种情况,如果您不想使用已经过时的令牌制作表单,则需要使用 Input::except('_token') ,如下所示:
return Redirect::route('routename')->withInput(Input::except('_token'));
回答by Eduardo Chongkan
When you use Blade to create the form, the _token gets automatically rendered inside of the form
当您使用 Blade 创建表单时,_token 会自动呈现在表单内部
<?php echo Form::open(array('url' => '/', 'files' => true, 'id' => 'shareForm', 'method' => 'post')) ?>
...
HTML
...
<?php echo Form::close() ?>
