11 months ago

Is there a case to keep "_token" as part of the request?

Posted 11 months ago by travisobregon

Once the VerifyCsrfToken middleware has executed, should the "_token" be removed? I'm just wondering if people still use it in their controllers or something else?

Should this line be added to the middleware?


So that the handle method becomes:

        if (
            $this->isReading($request) ||
            $this->runningUnitTests() ||
            $this->inExceptArray($request) ||
        ) {

            return tap($next($request), function ($response) use ($request) {
                if ($this->shouldAddXsrfTokenCookie()) {
                    $this->addCookieToResponse($request, $response);

        throw new TokenMismatchException;

Please sign in or create an account to participate in this conversation.