Is there a case to keep "_token" as part of the request?

Posted 4 months ago by travisobregon

Once the VerifyCsrfToken middleware has executed, should the "_token" be removed? I'm just wondering if people still use it in their controllers or something else?

Should this line be added to the middleware?

$request->offsetUnset('_token');

So that the handle method becomes:

        if (
            $this->isReading($request) ||
            $this->runningUnitTests() ||
            $this->inExceptArray($request) ||
            $this->tokensMatch($request)
        ) {
            $request->offsetUnset('_token');

            return tap($next($request), function ($response) use ($request) {
                if ($this->shouldAddXsrfTokenCookie()) {
                    $this->addCookieToResponse($request, $response);
                }
            });
        }

        throw new TokenMismatchException;

Please sign in or create an account to participate in this conversation.

Reply to

Use Markdown with GitHub-flavored code blocks.