Laravel CSRF token禁用方法
2018-05-28
后端
前文CSRF攻击和漏洞的参考文章: http://www.cnblogs.com/hyddd/archive/2009/04/09/1432744.html Laravel默认是开启了CSRF功能,需要关闭此功能有两种方法:方法一打开文件:appHttpKernel.php 把这行注释掉:'AppHttpMiddlewareVerifyCsrfToken' 方法二打开文件:appHttpMiddlewareVerifyCsrfToken.php 修改为: php namespace AppHttpMiddleware;use Closure;use IlluminateFoundationHttpMiddlewareVerifyCsrfToken as BaseVerifier;class VerifyCsrfToken extends BaseVerifier {/** * Handle an incoming request. * * @param IlluminateHttpRequest $request * @param Closure $next * @return mixed*/publicfunction handle($request, Closure $next) {//使用CSRF //return parent::handle($request, $next); // 禁用CSRFreturn$next($request); } } CSRF的使用有两种,一种是在HTML的代码中加入: <input type="hidden" name="_token" value="{{ csrf_token() }}"/> php namespace AppHttpMiddleware;use Closure;use IlluminateFoundationHttpMiddlewareVerifyCsrfToken as BaseVerifier;class VerifyCsrfToken extends BaseVerifier {/** * Handle an incoming request. * * @param IlluminateHttpRequest $request * @param Closure $next * @return mixed*/publicfunction handle($request, Closure $next) {return parent::addCookieToResponse($request, $next($request)); } } php namespace AppHttpMiddleware;use Closure;use IlluminateFoundationHttpMiddlewareVerifyCsrfToken as BaseVerifier;class VerifyCsrfToken extends BaseVerifier {/** * Handle an incoming request. * * @param IlluminateHttpRequest $request * @param Closure $next * @return mixed*/publicfunction handle($request, Closure $next) {// Add this:if($request->method() == 'POST') {return$next($request); }if ($request->method() == 'GET' || $this->tokensMatch($request)) {return$next($request); }thrownew TokenMismatchException; } } 修改CSRF的cookie名称方法通常使用CSRF时,会往浏览器写一个cookie,如: 要修改这个名称值,可以到打开这个文件:vendorlaravelframeworksrcIlluminateFoundationHttpMiddlewareVerifyCsrfToken.php 找到”XSRF-TOKEN“,修改它即可。 当然,你也可以在appHttpMiddlewareVerifyCsrfToken.php文件中,重写addCookieToResponse(...)方法做到。 另外,如需要对指定的页面不使用CSRF,可以参考如下文章: http://www.camroncade.com/disable-csrf-for-specific-routes-laravel-5/ |