Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[9.x] Allow VerifyCsrfToken's CSRF cookie to be extended #41342

Merged
merged 4 commits into from
Mar 4, 2022
Merged

[9.x] Allow VerifyCsrfToken's CSRF cookie to be extended #41342

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f8036d7
Move the cookie to its own method
jaggy Mar 4, 2022
3574cf3
Fix types
jaggy Mar 4, 2022
2c34cc3
CS fixes
jaggy Mar 4, 2022
d1fa875
formatting
taylorotwell Mar 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 16 additions & 4 deletions src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,15 +189,27 @@ protected function addCookieToResponse($request, $response)
}

$response->headers->setCookie(
new Cookie(
'XSRF-TOKEN', $request->session()->token(), $this->availableAt(60 * $config['lifetime']),
$config['path'], $config['domain'], $config['secure'], false, false, $config['same_site'] ?? null
)
$this->newCookie($request, $config)
);

return $response;
}

/**
* Create the CSRF token that will be sent with the response.
*
* @param \Illuminate\Http\Request $request
* @param array $config
* @return \Symfony\Component\HttpFoundation\Cookie
*/
protected function newCookie($request, $config)
{
return new Cookie(
'XSRF-TOKEN', $request->session()->token(), $this->availableAt(60 * $config['lifetime']),
$config['path'], $config['domain'], $config['secure'], false, false, $config['same_site'] ?? null
);
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not just passing the request, since the only usage of the method is this one, you could just get the config in there, if missing? (Then you could remove src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php:185)

Suggested change
protected function newCookie($request, $config)
{
return new Cookie(
'XSRF-TOKEN', $request->session()->token(), $this->availableAt(60 * $config['lifetime']),
$config['path'], $config['domain'], $config['secure'], false, false, $config['same_site'] ?? null
);
}
protected function newCookie($request, $config = null)
{
$config = $config ?: config('session');
return new Cookie(
'XSRF-TOKEN', $request->session()->token(), $this->availableAt(60 * $config['lifetime']),
$config['path'], $config['domain'], $config['secure'], false, false, $config['same_site'] ?? null
);
}


/**
* Determine if the cookie contents should be serialized.
*
Expand Down