1

I have an application that is using angular js to make an $http GET request to a server. One page particularly has a form which gets a csrf token embedded into it as follows

<input type="hidden" ng-model="token" value="{{{ Session::getToken() }}}">

In my controller I have the following code:

public function getMethod($arg, $token) 
{
    /*Check for csrf token validity*/
    if ($token != Session::token()) {
        return Response::json(
                array(),
                403
        );
    }
........
}

From the client side I make a request like this:

var arg = $scope.arg;
var get_url = '/url/routing/to/controller/arg/' + arg + '/' + $scope.token;

$http({method: 'GET', url: get_url})
    .success(function(data, status, headers, config) {
        //Do stuff after success
        .............
    })
    .error(function(data, status, headers, config) {
        //Handle error
        .......
    });

I am not exactly sure how the GET request can be integrated with csrf tokens but when I make a GET request to the registered URL, I get a token mismatch. Basically a new token is generated every time an ajax request is sent to the server, therefore the initial token extracted in the form input element does not match when I am comparing it in the controller. Could anyone tell me how csrf validity can be done in this case?

Thanks

Improve this question

1 Answer 1

Reset to default
3

You should not be adding/modifying resources through GET, therefore you do not need a token on a get request. CSRF tokens are needed only in methods that change or add resources to your application using the currently logged in user's credentials.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Hi, so does that mean I can only have csrf tokens embedded in for post requests (or anything other than GET)? My form basically is for creating an object in the database. The user wont be logged in yet.
if anyone can create the resource, it doesn't make much sense for you to protect it against CSRF.
Okay, I am trying to make a POST request and I get a token mismatch error in Laravel. Do you know why that might be the case?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.