CSRF Protection: inconsistency between frameworks

[tortuetorche]

The CSRF Protection of Laravel appears to be inspired by the Ruby on Rails one.

But this code doesn't reflect the CSRF protection behaviour of Ruby on Rails.

We should compare $request->session()->token() with $request->input('_token') and if it doesn't match, we should compare the $request->session()->token() with $request->header('X-CSRF-TOKEN').

For a real world use cases: If on your page you have a <form> cached with an outdated csrf_token(). When you submit the form, the CSRF protection will check matching tokens with the outdated CSRF token then it will thrown an TokenMismatchException. But the HTTP header X-CSRF-TOKEN sent to the server is good, so we should check matching tokens with it before throwing an exception.

PS: I know my explanations are a bit confusing, just tell me if you want more clarifications.

[spencerdeinum]

I'm trying to think of when you would have a an invalid _token from the form but a valid X-CSRF-TOKEN.

I see that the rails one will fall through || to check both but I'm not really sure if I understand the use case.

[GrahamCampbell]

I don't think we need to change anything, and anything we did change would be breaking.