What is CSRF token and how it works
Posted By
Bajarangi soft ,
Posted On 23-01-2021
Laravel provides protection with the CSRF attacks by generating a CSRF token. This CSRF token is generated automatically for each user. This token is nothing but a random string that is managed by the Laravel application to verify the user requests.
How to Use:
This CSRF token protection can be applied to any HTML form in Laravel application by specifying a hidden form field of CSRF token. The requests are validated automatically by the CSRF VerifyCsrfToken middleware.
There are three different ways in which you can do this.
- @csrf
- csrf_field()
- csrf_token()
@csrf: This is a blade template directive for generating the hidden input field in the HTML form.
Syntax:
<form method="POST">
@csrf // Generate hidden input field
.....
.....
</form>
Example:
<!DOCTYPE html>
<html>
<head>
<title>Laravel | CSRF Protection</title>
</head>
<body>
<section>
<h1>CSRF Protected HTML Form</h1>
<form method="POST">
@csrf
<input type="text" name="username"
placeholder="Username">
<input type="password" name="password"
placeholder="Password">
<input type="submit" name="submit" value="Submit">
</form>
</section>
</body>
</html>
csrf_field(): This function can be used to generate the hidden input field in the HTML form.
Note: This function should be written inside double curly braces.
Syntax:
<form method="POST"<
// Generate hidden input field
{{ csrf_field() }}
.....
.....
</form>
Example:
<!DOCTYPE html>
<html>
<head>
<title>Laravel | CSRF Protection</title>
</head>
<body>
<section>
<h1>CSRF Protected HTML Form</h1>
<form method="POST">
{{ csrf_field() }}
<input type="text" name="username"
placeholder="Username">
<input type="password" name="password"
placeholder="Password">
<input type="submit" name="submit"
value="Submit">
</form>
</section>
</body>
</html>
csrf_token(): This function just gives a random string. This function does not generate the hidden input field.
Note: HTML input field should be written explicitly. This function should be written inside double curly braces.
Syntax:
<form method="POST">
<input type="hidden" name="_token" value="{{ csrf_token() }}">
.....
.....
</form>
Example 3:
<!DOCTYPE html>
<html>
<head>
<title>Laravel | CSRF Protection</title>
</head>
<body>
<section>
<h1>CSRF Protected HTML Form</h1>
<form method="POST">
<input type="hidden" name="_token" value="{{ csrf_token() }}">
<input type="text" name="username"
placeholder="Username">
<input type="password" name="password"
placeholder="Password">
<input type="submit" name="submit"
value="Submit">
</form>
</section>
</body>
</html>
Output:
The output is going to be the same for any of the above three ways to generate a CSRF token. The CSRF token field should be written/generated at the start of every HTML form, using any of the three ways, in a Laravel application.