针对Ajax请求的CSRF保护
[英]CSRF protection for ajax requests
问题描述
In laravel documentation , for ajax based applications, there is CSRF protection via HTML meta tag and cheking header request. 
在laravel文档中 ,对于基于Ajax的应用程序,通过HTML meta标签和cheking标头请求提供CSRF保护。
Why this method needed and why not check ajax request as usual request? 为什么需要这种方法,为什么不像往常一样检查ajax请求呢? I mean, if for ajax whe use POST method, then send CSRF token as usual parameter (for example as csrf_token ) and then check in server side (PHP) : 我的意思是,如果对于使用POST方法的ajax,则将CSRF令牌作为常规参数发送(例如,作为csrf_token ),然后在服务器端(PHP)签入:
if ( !isset($_POST['csrf_token']) OR $_POST['csrf_token'] !== $_SESSION['csrf_token'] ) {
// incorrect csrf token, stop processing
}
Cheking header request have some advantage than this method ? Cheking标头请求比这种方法有一些优势吗?
1 个解决方案
解决方案1
0 2018-08-19 01:09:45
If you are doing POST request, CSRF doesn't go through the header it goes through the http message body, what Laravel has is some kind of default middleware for csrf protection, where is the issue in that? 如果您正在执行POST请求,则CSRF不会通过HTTP消息正文中的标头,Laravel拥有用于csrf保护的某种默认中间件,那么问题出在哪里呢? If you go into assets/js folder you can see the CSRF token in bootstrap.js. 如果进入assets / js文件夹,则可以在bootstrap.js中看到CSRF令牌。
You can fetch a CSRF token from a global Javascript variable and send it through ajax post request body. 您可以从全局Javascript变量获取CSRF令牌,并将其通过ajax发布请求主体发送。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.