Laravel CSRF protection

Question

I know what CSRF attack is, and I have read the documentation about it, however I have trouble understanding how CSRF protection works in depth, and have some general questions I couldn't find.

In the documentation it says that Laravel automatically generates a token for

... each active user session managed by the application.

Where does it create the token (what part of the code triggers it)?
Where is the token stored after creation, in cookie? In session? How can I extract and see what has been stored? Is this all actually controlled by session.php?
What does this mean when I reload the page, is the token still the same as the session.php has 120 min default lifetime?
What happens with that cookie when I navigate to subdomain handled by the same app if I have set my domain property to be "." . env('APP_URL')?

So once the token has been created and stored somewhere, when making a request, I have to provide either csrf_token() hidden property to the form, or generate it as a meta field and redirect to my JS file if I'm doing an AJAX request.

So what happens in low-level when I actually make a request? Request generates csrf_token(), Laravel encrypts the cookie, Laravel checks if the cookie sent is the same as the cookie in session. If yes, it means that the request is valid, if not, throw TokenMissmatchException?
Does that mean that every request during the lifetime of the cookie will have the same token?
Does Laravel encrypt request and response cookies differently? If I exclude token from cookie encryption in EncryptCookies class I get the same token, but when I leave it, hashes are different.
How does providing _token in the request data differ from forwarding token as X-CSRF-TOKEN header? How does Laravel validate those if I see them unencrypted? Do they get encrypted after the request?

There are a lot of different questions here, which doesn't work well with the format of this site: while it would be possible for an answer to cover them all, it would be easy to end up with multiple answers each covering different aspects, or the page devolving into discussions and amendments. It would be better if you could focus the question down a bit, and possibly raise multiple questions if necessary. — IMSoP
Maybe this answer will help you for internal logic for csrf stackoverflow.com/a/51673924/4701635 — Paresh Barad

linktoahref linktoahref · Accepted Answer · 2017-12-13T09:21:25

Where does it create the token (what part of the code triggers it)?

After going through the helpers file

/vendor/laravel/framework/src/Illuminate/Foundation/helpers.php

which had the definition of csrf_token() helper method, which calls the token method on

/vendor/laravel/framework/src/Illuminate/Session/Store.php

and if you check the start() which calls regenerateToken() if _token hasn't been set, it save a random 40 character string to the session with the key of _token

/**
 * Regenerate the CSRF token value.
 *
 * @return void
 */
public function regenerateToken()
{
    $this->put('_token', Str::random(40));
}

Where is the token stored after creation, in cookie? In session? How can I extract and see what has been stored? Is this all actually controlled by session.php?

The token is stored in session, you can extract it using session('_token'). The session expiration time is controlled in session.php using

'lifetime' => env('SESSION_LIFETIME', 120),

'expire_on_close' => false,

What does this mean when I reload the page, is the token still the same as the session.php has 120 min default lifetime?

If you check start() in /vendor/laravel/framework/src/Illuminate/Session/Store.php

/**
 * Start the session, reading the data from a handler.
 *
 * @return bool
 */
public function start()
{
    $this->loadSession();

    if (! $this->has('_token')) {
        $this->regenerateToken();
    }

    return $this->started = true;
}

the token is regenerated if the session does not have _token. So _token would be same until the session expires

Laravel CSRF protection

2 Answers