I have a very possible silly doubt as I am not used to this concept of XSRF & CSRF, I do know the use of CSRF protection to some extent and currently working on a project, I came across this piece of code in the Laravel 5.1 VerifyCSRFToken middleware which is built in, I have a a strong doubt in below line of code.
protected function tokensMatch($request) {
$token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
if (!$token && $header = $request->header('X-XSRF-TOKEN')) {
$token = $this->encrypter->decrypt($header);
}
return Str::equals($request->session()->token(), $token);
}
Why is CSRF token is being matched for just a session token while XSRF is being decrypted as a encrypted string , I caught this doubt since my XSRF token is generated using just Session::token() method , But while the next post request the X-XSRF-TOKEN carries that token and lands on this middleware where that is decrypted and throws a Invalid Payload Data error with an exception :(
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire