How is Laravel 8 CSRF token actually safe?
The most voted answer in this question (https://security.stackexchange.com/questions/19128/csrf-cookie-vs-session-based-tokens) states
If you put your token in a cookie, it will be send to the server automatically, just as session cookie, so you don't get any additional protection from that.
And Laravel seems to behave exactly as stated above. Here's the screenshot I have tested.
I am not sure whether I am doing some settings wrong or misunderstood about CSRF, but storing an extra CSRF cookie in addition to the session cookie really does not seem to be able to give any extra protection.
Any help would be appreciated.
Not always.
cookie with SameSite value of None will be always sent.
XSRF-TOKEN cookie has SameSite=Lax so it will be only sent at the same website.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#none
SameSite=NoneCookies will be sent in all contexts, i.e. in responses to both first-party and cross-site requests. If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked).
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#lax
SameSite=LaxCookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e., when following a link).
- Why am I getting 401 errors on Livewire uploads
- Railway.app Laravel / Vue deployment: filepath error
- focus:outline-none not working Tailwind CSS with Laravel
- Laravel 9 mail on production get only this error - Expected response code "250" but got code "451"
- Consume API endpoint from Laravel + Inertia App
- Missing routes.php File in New Laravel Project
- Best case for seeding large data in Laravel
- Redis keys are not expiring - Laravel, Predis
- Disable Edit or Delete for specific record in Filament Laravel
- laravel 11. lorisleiva/laravel-actions. How to register command
- Laravel task scheduler doesn't work
- How to reference another docker service from Dockerfile
- Laravel Sail is not working properly in Ubuntu 20.04 LTS
- Undefined variable $form on remote server
- search with pagination is not working in laravel
- Does Laravel's "soft_delete" need index on MySQL?
- Optimize aggregate queries
- Not getting unpaid or partially paid records some can help me?
- In Laravel, how can I get the validation errors
- Laravel Database Insert Error in artisan tinker
- Display hidden not working with flex in Tailwind
- Laravel Nova: How to Create User and Associated Profile Simultaneously in One Step
- How do I get the @inertia directive to work in InertiaJS with Laravel?
- Laravel - htmlspecialchars() expects parameter 1 to be string, object given
- How to build vite each css files in a specific path (JS path working but not for CSS files) (Fixed!)
- How to Load Background Images from the Public Directory in CSS with Vite in Laravel?
- Member has protected visibility and is not accessible from the current context.PHP
- Target class [config] does not exist error in laravel for testing
- How to install all required PHP extensions for Laravel?
- Default Persistent Layout In Laravel + Inertia + Vite