laravel 4:为什么 Request::header() 没有得到指定的标头?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18585322/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
laravel 4: why is Request::header() not getting the specified header?
提问by Tyro Hunter
I'm trying to get a header value with:
我正在尝试使用以下方法获取标头值:
Request::header('csrf_token')
Request::header('csrf_token')
though, my firebug says in the headers that I have the csrf_token set to baMDpF0yrfRerkdihFack1Sa9cchUk8qBzm0hK0C. In fact, I can get that csrf_tokeninstead with a native php code:
不过,我的萤火虫在标题中说我将 csrf_token 设置为baMDpF0yrfRerkdihFack1Sa9cchUk8qBzm0hK0C. 事实上,我可以csrf_token用原生的 php 代码来代替:
getallheaders()['csrf_token']
getallheaders()['csrf_token']
Now the question is am I doing my XSRF-protection right? or maybe there is a flaw in that php code I did, that I really have to use buggy laravel 4 function
现在的问题是我在做我的 XSRF 保护吗?或者也许我做的那个 php 代码有缺陷,我真的必须使用有问题的 laravel 4 函数
Request::header('csrf_token')
Request::header('csrf_token')
which returns nothing but blank. And I just missed something. maybe in my Laravel 4 configurations, etc?
它只返回空白。我只是错过了一些东西。也许在我的 Laravel 4 配置中,等等?
P.S: I am using AngularJS, but maybe it does not matter what clientside I use. I have this link as my guide: How to send csrf_token() inside AngularJS form using Laravel API?
PS:我正在使用 AngularJS,但也许我使用的客户端并不重要。我有这个链接作为我的指南:How to send csrf_token() inside AngularJS form using Laravel API?
回答by RSorensen
I solved the problem by removing the underscore '_' in csrf_token so it would be crsftoken instead.
我通过删除 csrf_token 中的下划线 '_' 解决了这个问题,所以它会改为 crsftoken。
Request::header('csrf_token'); // Not working
Request::header('csrftoken'); // Working!
回答by John G
Problem
问题
Laravel is removing headers with an underscore in the name when retrieving them with the Request::header()method. Additionally, all header names are converted to lower case in the Request::header()method.
Laravel 正在使用该Request::header()方法检索标题时删除名称中带有下划线的标题。此外,所有标题名称在Request::header()方法中都转换为小写。
Short Solution
简短的解决方案
On the frontend, replace all underscores in header names with dashes. csrf_tokenbecomes csrf-token
在前端,用破折号替换标题名称中的所有下划线。csrf_token变成csrf-token
Long Solution
长解
Add the Laravel CSRF token as an Angular constant on your main page / layout.
在主页/布局上添加 Laravel CSRF 令牌作为 Angular 常量。
<script>
angular.module("myApp").constant("CSRF_TOKEN", "<?php echo csrf_token(); ?>");
</script>
Add the token as a default header for all your requests in Angular.
将令牌添加为 Angular 中所有请求的默认标头。
angular.module("myApp").run(function($http, CSRF_TOKEN){
$http.defaults.headers.common["csrf-token"] = CSRF_TOKEN;
})
Have your csrffilter in Laravel check for a match in the headers rather than an input.
让csrfLaravel 中的过滤器检查标题而不是输入中的匹配项。
/**
* Check that our session token matches the CSRF request header token.
*
* @return json
*/
Route::filter("csrf", function() {
if (Session::token() !== Request::header("csrf-token")) {
return Response::json(array(
"error" => array(
"code" => "403",
"message" => "Ah ah ah, you didn't say the magic word.",
),
));
}
}
回答by lightalex
I think the problem there is that in the following answer at How to send csrf_token() inside AngularJS form using Laravelthat you used, the csrf_token is not sent in the header of your XMLHttpRequest but in the form it self.
我认为问题在于,在如何使用您使用的 Laravel在 AngularJS 表单中发送 csrf_token()的以下答案中,csrf_token 不是在您的 XMLHttpRequest 的标头中发送,而是在它自身的表单中发送。
You need then to filter it in your laravel backend as a regular Input field. See below for a working example :
然后,您需要在 Laravel 后端将其作为常规输入字段进行过滤。请参阅下面的工作示例:
Route::filter('csrf_json', function()
{
if (Session::token() != Input::get('csrf_token'))
{
throw new Illuminate\Session\TokenMismatchException;
}
});
UPDATE
更新
If you want to use headers in Angular, you would rather write something like :
如果你想在 Angular 中使用标题,你宁愿写这样的东西:
$httpProvider.defaults.headers.common['Authorization'] = TOKEN;
In order to aplly a new header to your XMLHttpRequests. Then it is easily catchable even with raw php such as :
为了向您的 XMLHttpRequests 应用新的标头。然后即使使用原始 php 也很容易捕获,例如:
$aHeaders = getallheaders();
if (Session::token() != $aHeaders['authorization']) etc.
回答by msturdy
Request::header()is indeed used for the retrieval of headers, but check where the token is being set.. the CSRF token should be placed into the session by Laravel, and then it can be accessed through the Session::token()method.
Request::header()确实用于获取 headers,但是要检查 token 在哪里设置。CSRFtoken 应该由 Laravel 放入 session 中,然后可以通过Session::token()方法访问。
If you look at the HTML generated through calls to the Form::class, you'll see a hidden element called _token, which should then be compared to the token in the session. You can access that using Input::get('_token'), as with any other incoming GET or POST variable.
如果您查看通过调用Form::类生成的 HTML ,您将看到一个名为 的隐藏元素_token,然后应将其与会话中的令牌进行比较。您可以使用 访问它Input::get('_token'),就像任何其他传入的 GET 或 POST 变量一样。
...However, all this shouldn't really be necessary, as it can be managed easily through the pre-defined CSRFfilter in filters.php, just add that filter to the desired route or route groupand you'll be protected, without having to get into the details of it.
...然而,这一切都不是必需的,因为它可以通过 中的预定义CSRF过滤器轻松管理filters.php,只需将该过滤器添加到所需的路由或路由组,您将受到保护,而无需获取进入它的细节。
回答by Snakeoilslim
the problem is with the Symfony Request object, which is extended in the Laravel framework. See this github thread
问题出在 Laravel 框架中扩展的 Symfony 请求对象上。看到这个github线程
https://github.com/laravel/framework/issues/1655#issuecomment-20595277
https://github.com/laravel/framework/issues/1655#issuecomment-20595277
The solution in your case would be to set the header name to HTTP_CSRF_TOKEN or HTTP_X_CSRF_TOKEN if you like prefixing X to your custom http headers.
如果您喜欢在自定义 http 标头前添加 X 前缀,那么您的情况的解决方案是将标头名称设置为 HTTP_CSRF_TOKEN 或 HTTP_X_CSRF_TOKEN。
