Laravel 的 CSRF 令牌和负载均衡

Question

Consider this scenario:

An application has a login route that is protected by Laravel's CSRF filter:

Route::group(array('before' => 'csrf'), function() {

    Route::post('/doLogin', array('as' => 'doLogin', 'uses' => 'MainController@doLogin'));

});

The application sits behind a load balancer, where each request is doled out randomly to either server01 or server02 . Laravel is configured to persist sessions in a database, which is shared by both server01 and server02 . The standard path to follow is: a user accesses / , enters their credentials into a login form, and submits those credentials to /doLogin , which checks the token, processes the credentials, and returns the user to / on error, or /home on success.

My question is this: since there's no guarantee that a user who accesses / on server01 will post to /doLogin on server01 , will Laravel's built-in CSRF tokens work? Or since the token is stored in Session , will it work regardless of which server ends up being assigned by the LB?

Answer 1

CSRF will work regardless of which server it hits if session is shared between these servers.

Database, Cookie and memcached/redis session drivers are good.

File session driver should not work ususally.

CSRF token from client is compared with the one in the session.

Answer 2

You should use cookie or database driver for session handling .

for more info read laravel session doc .