Laravel 5.1令牌在POST头令牌和会话中的令牌之间不匹配
[英]Laravel 5.1 Token mismatch between POST header token and token in session
问题描述
UPDATE 2: It is definately generating a whole new session & token upon executing the POST. 
更新2:它在执行POST时肯定会生成一个全新的会话和令牌。 My sessions are set up to be stored in files and I can physically see a new session get created straight after posting. 我的会话被设置为存储在文件中,我可以在发布后直接创建新会话。
I cannot still find a reason for this. 我仍然无法找到原因。 Any help is appreciated! 任何帮助表示赞赏!
UPDATE: Upon further tracing of issue I found in class VerifyCsrfToken that the validation is done by this line of code in protected function tokensMatch($request) 更新:在进一步跟踪问题后,我在class VerifyCsrfToken中发现验证是由protected function tokensMatch($request)这行代码完成的
$token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
return Str::equals($request->session()->token(), $token);
I copy the token from initial page load (and check its session value) and they match. 我从初始页面加载复制令牌(并检查其会话值)并匹配。
Token in session & hidden (login Page first load)= wHszQpffJC0gIov17pd2ZbPqtdbFq7yZh3U2QlOe
But the tokens are different when the POST takes place and they are compared. 但是当POST发生并且它们被比较时,令牌是不同的。 Somehow the token in session has been changed. 不知何故,会话中的令牌已被更改。 I check like this: 我这样检查:
echo 'Token from request= ' . $token;
echo 'Token from session= ' . $request->session()->token();
and I get this: 我明白了
Token from request= wHszQpffJC0gIov17pd2ZbPqtdbFq7yZh3U2QlOe
Token from session= sfquUx6MhPaqdMR862kDZh8qYmpKDJ0Rbdghq1iA
I do this on a fresh browser / login attempt. 我是在新的浏览器/登录尝试中执行此操作。 Why would the token in session be different than the one carried across from the login page? 为什么会话中的令牌与登录页面中的令牌不同?
ORIGINAL Q: I am getting the above error on a fresh L5.1 install and cannot (after reading numerous links) get this problem solved. 原文问:我在新的L5.1安装上遇到上述错误而且(在阅读了大量链接后)无法解决此问题。 I am new to Laravel. 我是Laravel的新手。 Appreciate any suggestions. 感谢任何建议。
My form looks like this: 我的表单看起来像这样:
@extends('admin.layouts.default')
@section('content')
<div id="form" class="login">
<img src="{{ $logo }}" class="logo"/>
@include('admin.partials.message')
{!! Form::open(['url' => '/login', 'class'=>'form']) !!}
<div class="form-group">
{!! Form::label('email', 'Email:', ['class'=>'control-label']) !!}
{!! Form::email('email', null, ['class'=>'form-control', 'id'=>'email', 'required'=>'1']) !!}
</div>
<div class="form-group">
{!! Form::label('password', 'Password:', ['class'=>'control-label']) !!}
{!! Form::password('password', ['class'=>'form-control', 'id'=>'password', 'required'=>'1']) !!}
</div>
<div class="form-group text-left">
{!! Form::checkbox('remember', '1', null, ['id'=>'remember']) !!}
{!! Form::label('remember', 'Remember Me', ['class'=>'control-label']) !!}
</div>
<div class="form-group">
{!! Form::submit('Sign In', ['class'=>'btn btn-primary']) !!}
<a href="/reset-password" class="text-muted">Forgot Your Password?</a>
</div>
{!! Form::close() !!}
</div>
<?php dd(session()); ?>
@stop
My routes look like this: 我的路线看起来像这样:
/*
|--------------------------------------------------------------------------
| Freely available routes for login, registration, password reset etc
|--------------------------------------------------------------------------
*/
Route::group([
'middleware' => 'guest'
], function(){
// Register
Route::get('register', ['uses' => 'RegistrationController@create', 'as' => 'registration.create']);
Route::post('register', ['uses' => 'RegistrationController@store', 'as' => 'registration.create']);
// Activate
Route::get('register/activate/{uuid}', ['uses' => 'RegistrationController@activate', 'as' => 'registration.activate']); // Pattern matched
// Login/logout
Route::get('login', ['uses' => 'Auth\AuthController@getLogin', 'as' => 'session.create']);
Route::post('login', ['uses' => 'Auth\AuthController@postLogin', 'as' => 'session.create']);
Route::get('logout', ['uses' => 'Auth\AuthController@getLogout', 'as' => 'session.destroy']);
// Forgot password
Route::get('reset-password', ['uses' => 'SessionController@reset_password', 'as' => 'session.reset_password']);
// Change password
Route::get('change-password', ['uses' => 'SessionController@change_password', 'as' => 'session.change_password']);
});
The token on page load and session look the same, generated by formBuilder. 页面加载和会话上的标记看起来相同,由formBuilder生成。
Session: 会议:
#attributes: array:1 [▼
"_token" => "EE5qv7mhhyI0cutpXOgU6jgvUR2R58RubQ5pC128"
]
Page HTML: 页面HTML:
<input name="_token" type="hidden" value="EE5qv7mhhyI0cutpXOgU6jgvUR2R58RubQ5pC128">
1 个解决方案
解决方案1
2 已采纳 2015-08-02 10:57:53
Well, the problem it turns out was that I had set the session variable secure to true in the www/config/session.php file. 好吧,问题是我在www/config/session.php文件中将会话变量secure设置为true 。 This was causing Laravel to expect requests via HTTPS which my development environment does not have set up, and thus causing the server to treat each GET or POST as a new request. 这导致Laravel期望通过HTTPS进行请求,我的开发环境没有设置,从而导致服务器将每个GET或POST视为新请求。
Hope this helps someone. 希望这有助于某人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.