i have disabled laravel csrf token security in application, reason doing using javascript frontend framework instead of blade (angularjs) , have mobile app uses same routes web app having enabled caused me "token mismatch" errors or "inavlid token".
my question have made client side code independent of server side code how implement feature?
also how make work on mobile app since apis use same routes web app.
the web part
as understand statement "i have made client side code independent of server side code", mean that, backend on different host/port angularjs app.
this makes troubles, beacuse of cors: http://en.wikipedia.org/wiki/cross-origin_resource_sharing
how csrf work:
- backend app: send cookie browser csrf token
- browser: save token backend app
- browser: send token next post/put/delete request
your app fails in step 2, beacuse browser save cookie when protocol, host , port match frontend app.
if want implement custom csrf tokens, have make $http interceptor service deal adding csrf requests , update current csrf after request.
doc: https://docs.angularjs.org/api/ng/service/$http (section interceptors)
to test if right, can run browser disabled web security. csrf tokens saved.
for chrome / chromium:
- go terminal
cdchrome folder- run
chrome --disable-web-security
the mobile app
everything depends on http client in app. csrf cookies , have sended in every request different , updated after these requests. please make sure, library saving csrf cookies , web app sends csrf cookies (not headers).
Comments
Post a Comment