Laravel 是否为 CSRF 令牌设置 Cookie
Does Laravel sets a Cookie for CSRF token
我想从 laravel 使用 XSRF-Token 键设置的 cookie 获取 CSRF 令牌。 (如所述here)
但我认为这个 cookie 包含其他内容,因为它的长度比普通 Laravel CSRF 令牌大得多。
此外,我认为我的 laravel 应用程序存在一些问题。因为它发送了两个 set-cookie headers 作为响应。
这是 laravel 在 set-cookie 响应中发送的内容 headers。
Set-Cookie: dsss=eyJpdiI6InFQQjdtUDN0TG1NZTNqZjZaY3MwMXc9PSIsInZhbHVlIjoiR2hzaVwvUTJlQ28yTTVqVFJUeG5QcDBINnRcLzB6VEZpXC9MSGRnQktaRHNCY0U4SFwvQ01DZ0hJYVZrcjFMT21jaE5obkpMTUVTM1Eyc0pPRzhTdkJcL2ZYUT09IiwibWFjIjoiZDI5ZGQxMjYyZjZmN2MyMjk5YzFmNmVjNDRhNjkwY2VhNGRjZjBhN2E0NWM1MTFmYjVhMjA2Y2YzYmU3ZjFiMCJ9; expires=Mon, 18-Jun-2018 08:51:39 GMT; Max-Age=7200; path=/; HttpOnly
Set-Cookie: XSRF-TOKEN=eyJpdiI6Im4ra21yZlFGRWZjZ2YrQjE5WVdUMXc9PSIsInZhbHVlIjoiRlQ0ZHFaVk9idEY2K3hEV3hxSExsZjNKZ080cjhiTFEwdGZFK3RaOGgxOSs3dHNLRmRhcThZVFwvZ3J2ZFpxdG1VYjY2UjBobzEraTNZRm1Ha1ZUeGtRPT0iLCJtYWMiOiI5YzAzNWFhMjE0ZjBiYTM4MzE2OTFkNDYyYmZlYTc4NzdjNjc1YmMxODZkYzliZTkzZDI0MjQ3NzY4YjhhMmNlIn0%3D; expires=Mon, 18-Jun-2018 08:51:39 GMT; Max-Age=7200; path=/
此外,我将 laravel_session cookie 重命名为 dsss。
我无法使用元标记来存储 cookie,因为我的所有 html 都被缓存了。但我可以发送新的回复 headers.
已更新
我已经把laravel_session改回原来的名字了,但是还是发了两个set-cookieheaders.
Set-Cookie: XSRF-TOKEN=eyJpdiI6IlhRRUt3SDIrUXc0UGpSRVB0b1ZBUEE9PSIsInZhbHVlIjoiMWtsckVTZ2JRWlNXaXBkWG96WFhsMG00bVFBOHMxSUFaTGEwMlZtMkZPYmdZdks4bWpKTjdURktBanhBNjhsQUZTb1BFaVNacEkySDFOQTRCTUw1RUE9PSIsIm1hYyI6IjlkNTVjODdkMTQwYTQ3ZTkxOTNjYjljZDc3NTU3MjE5MTg2OTM5ODhjOTg0YjE0ODYyZjBhNzc1YTkzOWIxZDAifQ%3D%3D; expires=Mon, 18-Jun-2018 10:37:42 GMT; Max-Age=7200; path=/
Set-Cookie: laravel_session=eyJpdiI6ImNxOTdCNkIydmFHbmlYRFVnYUdlb2c9PSIsInZhbHVlIjoiOUFWWmc5QkFGV1RrWUp6TzlNTUFaWFhhaFUyd0tyYTlFeE9XZWhRUzZ1ZnNHZTJDK3paRmtWdkNOQ1FERmVJKzNxVjZRMGRHemRjSXZMWU1sK1R6T0E9PSIsIm1hYyI6IjYyYjBlNTgwNDY0NzYxNjVlOWQ0MWE2NDFiYWU2NjI1NWUwYjY2MTAyNmYyNmZhOGU2ZGE1NDg3ZGQ1YjljMmEifQ%3D%3D; expires=Mon, 18-Jun-2018 10:37:42 GMT; Max-Age=7200; path=/; HttpOnly
实际上 csrf 令牌会自动存储在 cookie 中。如果您想检索它,请使用此 php 函数
echo $_COOKIE['XSRF-TOKEN'];
根据文档:
This cookie is primarily sent as a convenience since some JavaScript frameworks and libraries, like Angular and Axios, automatically place its value in the X-XSRF-TOKEN header.
我想从 laravel 使用 XSRF-Token 键设置的 cookie 获取 CSRF 令牌。 (如所述here)
但我认为这个 cookie 包含其他内容,因为它的长度比普通 Laravel CSRF 令牌大得多。
此外,我认为我的 laravel 应用程序存在一些问题。因为它发送了两个 set-cookie headers 作为响应。
这是 laravel 在 set-cookie 响应中发送的内容 headers。
Set-Cookie: dsss=eyJpdiI6InFQQjdtUDN0TG1NZTNqZjZaY3MwMXc9PSIsInZhbHVlIjoiR2hzaVwvUTJlQ28yTTVqVFJUeG5QcDBINnRcLzB6VEZpXC9MSGRnQktaRHNCY0U4SFwvQ01DZ0hJYVZrcjFMT21jaE5obkpMTUVTM1Eyc0pPRzhTdkJcL2ZYUT09IiwibWFjIjoiZDI5ZGQxMjYyZjZmN2MyMjk5YzFmNmVjNDRhNjkwY2VhNGRjZjBhN2E0NWM1MTFmYjVhMjA2Y2YzYmU3ZjFiMCJ9; expires=Mon, 18-Jun-2018 08:51:39 GMT; Max-Age=7200; path=/; HttpOnly
Set-Cookie: XSRF-TOKEN=eyJpdiI6Im4ra21yZlFGRWZjZ2YrQjE5WVdUMXc9PSIsInZhbHVlIjoiRlQ0ZHFaVk9idEY2K3hEV3hxSExsZjNKZ080cjhiTFEwdGZFK3RaOGgxOSs3dHNLRmRhcThZVFwvZ3J2ZFpxdG1VYjY2UjBobzEraTNZRm1Ha1ZUeGtRPT0iLCJtYWMiOiI5YzAzNWFhMjE0ZjBiYTM4MzE2OTFkNDYyYmZlYTc4NzdjNjc1YmMxODZkYzliZTkzZDI0MjQ3NzY4YjhhMmNlIn0%3D; expires=Mon, 18-Jun-2018 08:51:39 GMT; Max-Age=7200; path=/
此外,我将 laravel_session cookie 重命名为 dsss。
我无法使用元标记来存储 cookie,因为我的所有 html 都被缓存了。但我可以发送新的回复 headers.
已更新
我已经把laravel_session改回原来的名字了,但是还是发了两个set-cookieheaders.
Set-Cookie: XSRF-TOKEN=eyJpdiI6IlhRRUt3SDIrUXc0UGpSRVB0b1ZBUEE9PSIsInZhbHVlIjoiMWtsckVTZ2JRWlNXaXBkWG96WFhsMG00bVFBOHMxSUFaTGEwMlZtMkZPYmdZdks4bWpKTjdURktBanhBNjhsQUZTb1BFaVNacEkySDFOQTRCTUw1RUE9PSIsIm1hYyI6IjlkNTVjODdkMTQwYTQ3ZTkxOTNjYjljZDc3NTU3MjE5MTg2OTM5ODhjOTg0YjE0ODYyZjBhNzc1YTkzOWIxZDAifQ%3D%3D; expires=Mon, 18-Jun-2018 10:37:42 GMT; Max-Age=7200; path=/
Set-Cookie: laravel_session=eyJpdiI6ImNxOTdCNkIydmFHbmlYRFVnYUdlb2c9PSIsInZhbHVlIjoiOUFWWmc5QkFGV1RrWUp6TzlNTUFaWFhhaFUyd0tyYTlFeE9XZWhRUzZ1ZnNHZTJDK3paRmtWdkNOQ1FERmVJKzNxVjZRMGRHemRjSXZMWU1sK1R6T0E9PSIsIm1hYyI6IjYyYjBlNTgwNDY0NzYxNjVlOWQ0MWE2NDFiYWU2NjI1NWUwYjY2MTAyNmYyNmZhOGU2ZGE1NDg3ZGQ1YjljMmEifQ%3D%3D; expires=Mon, 18-Jun-2018 10:37:42 GMT; Max-Age=7200; path=/; HttpOnly
实际上 csrf 令牌会自动存储在 cookie 中。如果您想检索它,请使用此 php 函数
echo $_COOKIE['XSRF-TOKEN'];
根据文档:
This cookie is primarily sent as a convenience since some JavaScript frameworks and libraries, like Angular and Axios, automatically place its value in the X-XSRF-TOKEN header.