8

I am creating forms, and it does not matter how I do it, the CSRF _token is always the same!

It doesnt matter if I use

{{ Form::open([route' => 'login']) ]]

or if I use

{{ Form::token() }}

It is the same one every single time. Even after I make a successful Form submission. I figured it would get consumed and a new one would be generated, but no!

Did I miss a configuration step?

Note: I know that if the laravel_session gets regenerated, the _token is different, but as I had understand, the CRSF token was also the mechanism to avoid multiple form submissions , so it should change on every refresh of page, or at least after is consumed after one successful post submission, no?

Enrique Moreno Tent
  • 24,127
  • 34
  • 104
  • 189
  • Where have you read that `CRSF token was also the mechanism to avoid multiple form submissions`, please? – peter.babic Jul 19 '14 at 18:00
  • It was also discussed here http://stackoverflow.com/questions/17239586/laravel-4-prevent-multiple-form-submissions-csrf-token – peter.babic Jul 19 '14 at 18:02
  • While that post does explain a method to avoid form resubmission, it does not explain the behavior about the token not being consumed. I would like to crack this, because it seems like a security hole. – Enrique Moreno Tent Jul 19 '14 at 18:16

2 Answers2

10

It is not necessary to refresh the CSRF token for every request, generating the token per session will also be safe. Have a look at the Owasp cheat sheet for a better explanation.

Regenerating the token for every request can be done, but can result in usability issues. I think this is the reason why Laravel implements the token per session approach.

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
  • Thank you, that is quite an exhaustive explanation. It seems in the end this is the expected behavior. – Enrique Moreno Tent Jul 19 '14 at 20:52
  • If I log out and log back in, does that count as a session change? I mean if I log out and log back in, will the token change? – Rohan Dec 10 '14 at 11:13
  • @Rohan - Actually it depends on what the application will do when the user logs out. Technically a session cookie could remain valid until the browser is closed, though often the session is discarded when the user logs out. – martinstoeckli Dec 10 '14 at 12:10
2

From the code, the only relevant occurrences of _token or regenerateToken are in the Illuminate/Session/Store, lines 89, 551 and 571. The occurences being:

public function start()
{
    $this->loadSession();

    if ( ! $this->has('_token')) $this->regenerateToken();

    return $this->started = true;
}

public function token()
{
    return $this->get('_token');
}

public function regenerateToken()
{
    $this->put('_token', str_random(40));
}

This means, that token gets only regenerated, when not present in Sessions. You have to regenerate it yourself if you want, with i.e. Session::forget('_token');

peter.babic
  • 3,214
  • 3
  • 18
  • 31