Support the ongoing development of Laravel.io →
Authentication Security
Last updated 2 years ago.
0

You should be able to change the form field name in the form and then change the code filter.php function for how the token is checked.

Last updated 2 years ago.
0

Laravel seems to ignore the manual _token implementation in the form fields and readd the value like so.

<form method="POST" action="http://localhost:8000/sessions" accept-charset="UTF-8"><input name="_token" type="hidden" value="LOutMOYq80dZR15PUr5fOinoKPOgzeYTbA6dRgYn">
			<input name="_token" type="hidden" value="121212">
			<div>
				<label for="email">Email:</label>
				<input name="email" type="email" id="email">
			</div>
			<div>
				<label for="password">Password</label>
            	<input name="password" type="password" value="" id="password">
            </div>

            	<input type="submit">

		</form>
Last updated 2 years ago.
0

form open will add the token

Last updated 2 years ago.
0

Yes, I noticed that.

That means that in order to rename _token I must extend Form::open and do some magic there. Just to be clear, I intend to rename _token NOT the token's value, using the same expire behavior as it's value.

Any ideeas if this is the right path and how to proceed?

Last updated 2 years ago.
0

This might be something to suggest as a pull request. To allow the changing of the "_token" name, pass in a optional var in the construct, that would be default to _token, that could be used in the token function when the element is created. Problem would be the default CSRF filters, which also are set to use the _token, something to think about though.

Maybe doing the custom extending of the Formbuilder class and modifying the public function token() would work better.

You would need to overwrite the default form helper in blade to get it to use your custom one.

A couple things I found that might help,

http://stackoverflow.com/questions/22884764/laravel-extend-form-class

https://github.com/BradEstey/laravel4-formbuilder-extended

Last updated 2 years ago.
0

I have found the following _token occurrences thru laravel:

\Illuminate\Session\Store.php:89 \Illuminate\Session\Store.php:559 \Illuminate\Session\Store.php:579

\Illuminate\Html\FormBuilder.php:181

I'm guessing one is the session handler and one is the form builder helper. But after looking at FormBuilder.php, i'm not sure if this is the right file that inserts the _token into the form.

Anyway, I'll think i'll have to extend both Store.php and FormBuilder.php as I was thinking to the following design pattern:

  • store _tokenField in session with a random(10) value
  • inject the _tokenField value in form and replace the curent _token name
  • validate the _tokenField against Input::get(Session::tokenField())
  • proceed with the usual _token validation.

it's basically a dynamic double validation.

Last updated 2 years ago.
0

Easy solution: don't use Form::open(). Just manually write the open/close tags for the form, add your token field and then use the Form facade (if still needed at all) for the rest of the inputs?

:)

Last updated 2 years ago.
0

I can't really grasp the extend concept. What's up with the register function?

Last updated 2 years ago.
0

Sign in to participate in this thread!

Eventy

Your banner here too?

TGM tgm Joined 24 Nov 2014

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2024 Laravel.io - All rights reserved.