Level 11
@ilex01 Compare your middleware, policy from working project to new project. may be you have missed some code overthere.
Jul 24, 2023
4
Level 5
I'm detected as a guest: $.get("https://example.co/uid" ...
uid.blade.php:
@auth
{{ Auth::user()->id }} // outputs a user ID
@endauth
@guest
guest // outputs the string "guest"
@endguest
script.js:
$.get("https://example.co/uid", function(uid) {
alert(uid);
// always ouputs "guest" if I try to call https://example.co/uid from a different URL, for example, https://test.co
// If I try to output "uid" from the same website, for example, https://example.co/abcd... and I'm logged in, it ouputs the user ID, correctly
// It's like that if I try to $.get a different website, I'm not authenticated even if I am.
});
Level 5
@hupp Hello. Thanks for trying to help me. I don't really understand what you mean.
Level 11
i think uid the last param of url will check in your middleware and search in user model and return login with that users id. but you may dont have user with name "uid" but you have "abc"
if these not work. Please share some more code to get the clear idea about it.
1 like
Level 51
That how it should work. it's called CORS attack. If in my side a can send a request to your site as an authenticated user, then I can do action in behalf of your users without their knowledge.
imagine if you're able to send a request to google.com to delete an account, then each logged-in google user will get their account deleted when they visit your website.
Laravel is preventing that by default.
More about CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
1 like
Please or to participate in this conversation.