Why if I don't put a {{csrf_field()}} at the end of a form (in a Laravel 5 view) I obtain a TokenMismatchException?

Question

I am pretty new to PHP and Laravel and I have the following doubt about the {{csrf_field()}} notation inserted into a <form>.

Into a view I have the following form:

<form method="post" action="/registration">

  <div class="form-group">
    <label>Nome</label>
    <div class="input-group">
      <div class="input-group-addon"><i class="fa fa-user"></i></div>
      <input type="text" name="name" class="form-control" placeholder="Inserisci il tuo nome">
    </div>
  </div>

  <div class="form-group">
    <label>Cognome</label>
    <div class="input-group">
      <div class="input-group-addon"><i class="fa fa-user"></i></div>
      <input type="text" name="surname" class="form-control" placeholder="Inserisci il tuo cognome">
    </div>
  </div>

  <!-- Some other fields -->

  {{csrf_field()}}

  <button type="submit" class="btn btn-default">Submit</button>

</form>

That is handled by this minimialistic controller method:

public function store(Request $request)
{
    return $request->all();
}

So if I put the {{csrf_field()}} "statment" before the submit button it works fine and the request is correctly handled by the controller method but if I delete this line it can't works and I obtain a TokenMismatchException.

Why it is so and what exactly represent this {{csrf_field()}} and why have I to use it in a form?

For a request method it search for csrf token – M A SIDDIQUI Feb 21 '17 at 09:46 — M A SIDDIQUI, Feb 21 '17 at 09:46

score 5 · Answer 1 · answered Feb 21 '17 at 09:46

Laravel makes it easy to protect your application from cross-site request forgery (CSRF) attacks. Cross-site request forgeries are a type of malicious exploit whereby unauthorized commands are performed on behalf of an authenticated user. Laravel automatically generates a CSRF "token" for each active user session managed by the application. This token is used to verify that the authenticated user is the one actually making the requests to the application. Anytime you define a HTML form in your application, you should include a hidden CSRF token field in the form so that the CSRF protection middleware can validate the request.

Please refer to the CSRF Protection documentation for more information.

Ok, my only doubt is that I am not an authenticated user. It is a public page. So how exactly works? — , Feb 21 '17 at 10:43

score 5 · Accepted Answer · edited May 23 '17 at 12:18

5

CSRF stands for Cross-Site Request Forgery.

In this case, Laravel is requiring this field to be sent with the request so that it can verify the request is not a forgery when posted back.

A good explanation can be found here: https://stackoverflow.com/a/33829607/1068537

edited May 23 '17 at 12:18

Community

1
1

answered Feb 21 '17 at 09:49

Phillip Elm

2,094
2
16
27

score 2 · Answer 3 · answered Feb 21 '17 at 09:57

The short answer is to prevent cross-site request forgery

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

More on https://laravel.com/docs/5.4/csrf

In plain English, it is used to make sure that the submitted form was generated from the server and it is applied from a user's browser, not a robot or any kind of programmatic agent.

It is very important to handle the CSRF whether you use framework like Laravel or not.

Why if I don't put a {{csrf_field()}} at the end of a form (in a Laravel 5 view) I obtain a TokenMismatchException?

3 Answers3