Home > Net >  Laravel: CSRF token not needed for login via axios
Laravel: CSRF token not needed for login via axios

Time:07-25

When I use a form to post to the /login route, a valid CSRF token is needed.

<form role="form" method="POST" action="/login">

However, I can login completely without the token simply using:

axios.post("/login", { email:this.email, password:this.password })
    .then((res) => {
        window.location.href = "/dashboard";
    })

This is a security risk, right? Why is that? How can I fix it?

CodePudding user response:

It's not a vulnerability. If you check your resources/js/bootstrap.js file, a comment explains this.

/**
 * We'll load the axios HTTP library which allows us to easily issue requests
 * to our Laravel back-end. This library automatically handles sending the
 * CSRF token as a header based on the value of the "XSRF" token cookie.
 */

If you inspect the request made in the network tab of your browser's dev tools, you will see the XSRF-Token header.

CodePudding user response:

just add this in your frontend.blade.php file head:     

<meta name="csrf-token" content="{{ csrf_token() }}">

And in your bootstrap.js file it is well protected by declaring and authorizing axios.

Page link:https//www.codepudding.com/net/487523.html

Prev:getting same results from size command with different files ( C memory layout )
Next:laravel : in observer how to fired detach method for pivot table?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding