2

I'm trying to learn how to use Laravel Sanctum authentication. When I send GET https://localhost/sanctum/csrf-cookie I get the following CSRF cookies:

XSRF-TOKEN=eyJpdiI6Inhvb0FDVXdHZDU5QzBqQTNKaWNxTUE9PSIsInZhbHVlIjoiSXNudjNiNE9xbmtNVWdsQ0l2SDRyYUNPQXIrTGJLb2ZMVDc2NWttenZGY0NkcDRvQzFVQlZOMDRlNFdTOHJaNiIsIm1hYyI6ImY0Y2M2YzZiZWIxYWVmZTRmMWI5NWRhNTBhN2JmM2VjNGExYjU0MGYwYWVmYTE4ODQxM2I0YTFlMWVjZTVhMDkifQ%3D%3D;

You can notice the strange %3D%3D at the end of the token. These characters also added for my laravel_session cookie. When I then send back a request with this exact token in the header X-XSRF-TOKEN, I'm getting token mismatch error. When I remove the characters - all works. I wonder where's these characters came from and how can I remove them.

UPD: since those were encoded URL characters, when I decoded them and put '==' instead at the end of X-XSRF-TOKEN, that seems to be working. Still, it's strange why it worked before when I just removed the characters from the query manually.

Garfield Lasaga
  • 348
  • 1
  • 5
  • 13

2 Answers2

0

Yeah this stands for the = symbol which is part of your base64'ed CSRF token. I'd guess it only works when you remove it because the = symbol is the special padding character. In a very high level they just pad the string out to the proper length.

Apos Spanos
  • 145
  • 2
  • 9
0

As you already know, = becomes %3D when it is url encoded.

Usually when you encounter a string with lot of numbers and characters in random order and it ends with == there is a very high probability that it is encoded in base64.

= is added (at the end of the string) as padding to match a specific number of characters in a string. You can read more about it in this answer.

To answer your question, I will try decoding the given token with and without == at the end, I'll use this online decoder, so you can try it at your end aswell.

With ==:

{"iv":"xooACUwGd59C0jA3JicqMA==","value":"Isnv3b4OqnkMUglCIvH4raCOAr+LbKofLT765kmzvFcCdp4oC1UBVN04e4WS8rZ6","mac":"f4cc6c6beb1aefe4f1b95da50a7bf3ec4a1b540f0aefa188413b4a1e1ece5a09"}

Without ==:

{"iv":"xooACUwGd59C0jA3JicqMA==","value":"Isnv3b4OqnkMUglCIvH4raCOAr+LbKofLT765kmzvFcCdp4oC1UBVN04e4WS8rZ6","mac":"f4cc6c6beb1aefe4f1b95da50a7bf3ec4a1b540f0aefa188413b4a1e1ece5a09"}

They are same.

It works because they (=) are just padding and they DO NOT contain any information.

I am no laravel expert but, I am guessing the reason it doesn't work with %3D is because it is not decoding the url.

Swetank Poddar
  • 1,257
  • 9
  • 23