How to hide the token generated in the url by the variable

Asked

Viewed 789 times

1

I have this form with the method in get, but when sending the request it sends the token by the url. How can I hide the token from ur?

URL: 127.0.0.1:8000/search? _token=bsL7AC1ymwC1UbtwWSRwz4d6YrirLsAP5Xbkfnqh&search=or

<form action="{{route('search')}}" method="get">                                    
    <input type="hidden" name="_token" value="{{ csrf_token() }}">
         <div class="input-group">
            <input type="text" class="form-control" name="busca" placeholder="Buscar..." required>
              <span class="input-group-btn">
                 <button class="btn" type="submit"> 
                   <i class="fa fa-search"></i>
                 </button>
               </span>
             </div>

  • But it’s GET, he goes through URL, I don’t think it’s possible to hide, probably, from criptografar.

  • Then notice that the field is of type Hidden, I imagine that a field of type Hidden should not appear in the url.

  • In fact, a field of the type Hidden is not to appear on screen and not be hidden in URL, not to show up at the URL, need to use the type as POST

  • Dude I already got, according to the documentation of the token Aravel is only required for other methods like PUT,POST, DELETE.

  • Cool that you got, stay as an apprenticeship, the input[type=hidden] only hides the field, and does not avoid showing it in URL

1 answer

2


This generated TOKEN will exist in the source of the generated HTML you want or not, make it hidden in GET forms is virtually unnecessary, the TOKEN is only a key of comparison with the TOKEN that is in the session of the back-end side.

That’s a technique to try and stop CSRF attacks, that is how it is used it "expires" and is generating a new token, the old one will no longer be useful.

So much so that you can see that "to facilitate" applications Ajax to Laravel doc indicates an example with the tag <meta>:

In HTML:

<meta name="csrf-token" content="{{ csrf_token() }}">

And to catch:

 document.querySelector('meta[name="csrf-token"]').getAttribute('content');

Or jQuery to set up all Ajax calls from the current page:

$.ajaxSetup({
    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
    }
});

In this case the use of the META tag is due to the use of files .js "static" not talking directly to PHP (that’s how HTTP works, it’s not a matter of PHP).

That is, even if someone takes the TOKEN it will expire when the form is sent or you page and even if you can hide from the URL anyone who wants to access the page source will get the TOKEN.

I should warn you that the CSRF Protection is a good technique, but is not 100% guaranteed against attacks coming from outside, for this reason even many people opt for the Captchas as for example:

  • reCaptcha
  • Nucaptcha

Which are usually a little more guaranteed, however the times more complicated for the end user.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.