Laravel 4：防止多个表单提交 - CSRF令牌 [英] Laravel 4: Prevent multiple form submissions - CSRF Token

问题描述

问题场景：

我正在用Laravel 4创建一个博客。负责创建新博客帖子的表单是由CSRF保护构建保护（ Laravel Docs：CSRF保护）。

到目前为止，一切正常，但似乎laravel并未刷新每个请求的csrf标记。

发生的原因是，如果用户点击浏览器的后退按钮返回到提交的表单，则输入的数据将持续存在，用户可以重新提交表单。这可能为垃圾邮件发送者创造了一扇敞开的大门。

通常情况下，CSRF令牌会阻止它，因为每次请求都会刷新它，但Laravel似乎没有这样做就像那样。

我使用laravel的资源控制器方法（ Laravel文档：资源控制器）来处理表单和博客文章视图。此外，在将提交的输入存储在数据库（MySQL）中之前，我使用Laravels输入验证程序。
$ b

因此，出现了以下想法：
$ b

1. 强迫Laravel 4在每次请求时自动重新生成csrf




2. 生成另一个令牌并手动将其包含到表单中
   

3. 在用户会话中保存表单子表单的时间戳（php或数据库），并在一定时间内限制新的表单提交






我个人更喜欢第一个想法，但不幸的是，没有找到一种迫使劳拉维尔按照我想要的方式行事的方式，而没有黑客的照明本身（我希望保持现状，以便能够更新laravel而不需要hassle hoff ^^）。





您会推荐什么？
$ b

你是怎么处理这个问题的？

解决方案

我也碰到过这个问题，以及多个帖子提交。你有两个选择：
$ b $ 1）在提交后生成一个新的标记：




$ b

2）在发布后重定向到确认页面：



Redirect :: route（'form / success'） - > with（data，$ myData）





我最终做了第二个。

编辑：在评论通过杰森，它可能是最好的使用上述两种方法的组合


Problem scenario:

I'm creating a blog with Laravel 4. The form that's responsible for the creation of new blog posts is secured by the build in CSRF protection (Laravel Docs: CSRF Protection).

Everything works fine so far, but it seems that laravel does not refresh the csrf token on every request.

The problem that occurs is that if the user hits the back button of the browser to return to the submitted form, the entered data persists and the user is able to "re-submit" the form. This might create an open door for spammers.

Usually this is prevented by the CSRF token, as it's being refreshed on every request, but Laravel doesn't seem to do it like that.

I use the laravel "Resource Controller" approach (Laravel Docs: Resource Controllers) to handle the form and blog post views. Furthermore I use Laravels input validator before storing the submitted input in the database (MySQL).


So the following ideas came up:

1. somehow force Laravel 4 to regenerate the csrf automatically on every request

2. generate another token and include it into the form manually

3. save a timestamp of form submition in the users session (php or database) and throttle new form submissions on a time base

Personally I prefer the first idea, but unfortunately I couldn't find a way of forcing laravel to behave how I want it to be, without hacking the "Illuminate" itself (which I want to keep "as is" to be able to update laravel without "hasslehoff" ^^).

What would you recommend?

How did you handle the problem yourself?

解决方案

I actually ran into this issue as well for multiple posts submissions. You have two options here:

1) Generate a new token AFTER post submission:

Session::put('_token', sha1(microtime()))

2) Redirect AFTER post to a confirmation page:

Redirect::route('form/success')->with("data", $myData)

I ended up doing the second.

EDIT: In a comment via Jason, it may be best to use the combination of both methods outlined above

这篇关于Laravel 4：防止多个表单提交 - CSRF令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！