Summary
The CSRF filter works properly when Session::token() returns a different value than the form input token (via: Input::get('_token')). The problem is, when the session has no token (guest access) and the form input has no token, then the CSRF filter malfunctions and does not throw and exception. In this case it should throw an exception but does not.
Cause
The cause seems to be the code on Line 108 of filters.php. If both values are null, then the comparison become them becomes true, even though we want the expression to be false.
Solution
The solution is to add a check that ensures that neither the Session token or the form token are null. If either is null, we throw an exception.
Summary The CSRF filter works properly when
Session::token()returns a different value than the form input token (via:Input::get('_token')). The problem is, when the session has no token (guest access) and the form input has no token, then the CSRF filter malfunctions and does not throw and exception. In this case it should throw an exception but does not.Cause The cause seems to be the code on Line 108 of filters.php. If both values are null, then the comparison become them becomes true, even though we want the expression to be false.
Solution The solution is to add a check that ensures that neither the Session token or the form token are null. If either is null, we throw an exception.