How to hide the token generated in the url by laravel

Question

How to hide the token generated in the url by laravel

Navigation

#1 by (2 votes)

0

I have the following form with the get method, but when sending the request it sends the token through the url. How can I hide ur token?

URL: 127.0.0.1:8000/search?_token=bsL7AC1ymwC1UbtwWSRwz4d6YrirLsAP5Xbkfnqh&busca=or

<form action="{{route('search')}}" method="get">                                    
    <input type="hidden" name="_token" value="{{ csrf_token() }}">
         <div class="input-group">
            <input type="text" class="form-control" name="busca" placeholder="Buscar..." required>
              <span class="input-group-btn">
                 <button class="btn" type="submit"> 
                   <i class="fa fa-search"></i>
                 </button>
               </span>
             </div>

php url laravel

asked by anonymous 20.09.2017 / 21:23

1 answer

Invalid argument supplied for foreach () with correct replacements! Fixed menu problem with bootstrap

score 2 · Accepted Answer

This generated TOKEN will exist in the source of the generated HTML you want or not, making it hidden in GET forms is practically unnecessary, TOKEN is just a key to TOKEN comparison in session on the back end.

This is a technique to try to prevent CSRF attacks , that is how it is used it "expires" and it is generating a new token, the old one will no longer be useful.

So much so that you can see that "to facilitate" Ajax applications the Laravel doc indicates an example with the tag <meta> :

No HTML:

<meta name="csrf-token" content="{{ csrf_token() }}">

And to paste:

 document.querySelector('meta[name="csrf-token"]').getAttribute('content');

Or jQuery to configure all Ajax calls from the current page:

$.ajaxSetup({
    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
    }
});

In this case, the use of the META tag is due to the use of "% static"% files not to talk directly to PHP (this is how HTTP works, it's not a matter of PHP).

That is, even if someone takes TOKEN it will expire when the form is sent or you page and even if you can hide from the URL anyone who wants to access the page source will get TOKEN.

I should point out that .js is a good technique, but it is not 100% guaranteed against attacks coming from outside, for this reason even a lot of people opt for Captchas like:

reCaptcha
NuCaptcha

They are usually a bit more secure, but sometimes more complicated for the end user.