Laravel中的跨站请求伪造CSRF攻击攻击者窃取用户身份,通过伪造身份以用户名义进行非法请求,在未经用户许可的情况下完成一些非法操作。Laravel的CSRF处理在会话打开时为每个会话分配一个tokenpublicfunctionregenerateToken(){$this->put('_token',Str::random(40));}引入VerifyCsrfToken中间件后,核心执行在句柄中处理publicfunctionhandle($request,Closure$next){if($this->isReading($request)||$this->runningUnitTests()||$this->inExceptArray($request)||$this->tokensMatch($request)){return$this->addCookieToResponse($request,$next($request));}thrownewTokenMismatchException;}-`$this->isReading()`判断请求是否为`['HEAD','GET','OPTIONS']`三种请求。-`$this->runningUnitTests()`确定程序是否正在运行单元测试。-`$this->inExceptArray()`判断请求是否需要Crsf验证。-`$this->tokensMatch()`用于令牌验证。protectedfunctiontokensMatch($request){//获取请求url中的token$token=$this->getTokenFromRequest($request);返回is_string($request->session()->token())&&is_string($token)&&hash_equals($request->session()->token(),$token);}protectedfunctiongetTokenFromRequest($request){$token=$request->input('_token')?:$request->header('X-CSRF-TOKEN');如果(!$token&&$header=$request->header('X-XSRF-TOKEN')){$token=$this->encrypter->decrypt($header);}返回$令牌;}校验通过后将csrftoken添加到响应包的cookie中,然后校验通过通过next将请求提交到下一个处理项。受保护函数addCookieToResponse($request,$response){$config=config('session');$response->headers->setCookie(newCookie('XSRF-TOKEN',$request->session()->token(),Carbon::now()->getTimestamp()+60*$config['lifetime'],$config['path'],$config['domain'],$config['secure'],false));返回$响应;}
