I am just wondering how much the laravel CSRF protection really adds.
Correct my if I am wrong here but couldn't you just scrape the contents of page once you have acquired a session once?
Laravel grabs the CSRF token that is coupled to a session and adds that to a page as a metatag for AJAX requests.
<meta name="csrf-token" content="{{ csrf_token() }}">
https://laravel.com/docs/5.4/csrf#csrf-x-csrf-token
Of course you could remove the metatag if you do not need the AJAX functionality, but let's say just you wouldn't.
Once you would have a session in place the CSRF will remain the same for the session. Of course this is a lot of work for someone to set up but isn't this is possible workaround to a CSRF token? I guess it still helps to have a layer of protection that prevents extremely easy copy/paste CSRF attacks.
Just curious, hopefully someone can expand on this.
Edit:
I know how CSRF works, people are confusing how Laravel deals with CSRF to how they expect it to work though. People expect a CSRF token to regenerate per request, this is not the case with Laravel though:
https://github.com/illuminate/session/blob/master/Store.php#L72
I also don't see how you would be able to verify AJAX CSRF requests if you wouldn't store your CSRF token for multiple requests by the way.
Nevermind found the answer:
https://security.stackexchange.com/questions/22903/why-refresh-csrf-token-per-form-request
This goes in depth why generating a CSRF token for each request is a bad idea.
