Why if I don't put a {{csrf_field()}} at the end of a form (in a Laravel 5 view) I obtain a TokenMismatchException?

php laravel laravel-5 laravel-5.3 laravel-5.4

14,650

Solution 1

CSRF stands for Cross-Site Request Forgery.

In this case, Laravel is requiring this field to be sent with the request so that it can verify the request is not a forgery when posted back.

A good explanation can be found here: https://stackoverflow.com/a/33829607/1068537

Solution 2

Laravel makes it easy to protect your application from cross-site request forgery (CSRF) attacks. Cross-site request forgeries are a type of malicious exploit whereby unauthorized commands are performed on behalf of an authenticated user. Laravel automatically generates a CSRF "token" for each active user session managed by the application. This token is used to verify that the authenticated user is the one actually making the requests to the application. Anytime you define a HTML form in your application, you should include a hidden CSRF token field in the form so that the CSRF protection middleware can validate the request.

Please refer to the CSRF Protection documentation for more information.

Solution 3

The short answer is to prevent cross-site request forgery

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

More on https://laravel.com/docs/5.4/csrf

In plain English, it is used to make sure that the submitted form was generated from the server and it is applied from a user's browser, not a robot or any kind of programmatic agent.

It is very important to handle the CSRF whether you use framework like Laravel or not.

14,650

Author by

Admin

Updated on July 26, 2022

Comments

Admin over 1 year

I am pretty new to PHP and Laravel and I have the following doubt about the {{csrf_field()}} notation inserted into a <form>.

Into a view I have the following form:

<form method="post" action="/registration">

  <div class="form-group">
    <label>Nome</label>
    <div class="input-group">
      <div class="input-group-addon"><i class="fa fa-user"></i></div>
      <input type="text" name="name" class="form-control" placeholder="Inserisci il tuo nome">
    </div>
  </div>

  <div class="form-group">
    <label>Cognome</label>
    <div class="input-group">
      <div class="input-group-addon"><i class="fa fa-user"></i></div>
      <input type="text" name="surname" class="form-control" placeholder="Inserisci il tuo cognome">
    </div>
  </div>

  <!-- Some other fields -->

  {{csrf_field()}}

  <button type="submit" class="btn btn-default">Submit</button>

</form>

That is handled by this minimialistic controller method:

public function store(Request $request)
{
    return $request->all();
}

So if I put the {{csrf_field()}} "statment" before the submit button it works fine and the request is correctly handled by the controller method but if I delete this line it can't works and I obtain a TokenMismatchException.

Why it is so and what exactly represent this {{csrf_field()}} and why have I to use it in a form?