Laravel 5 / Form Security (clarification required)

Question

Laravel 5 / Form Security (clarification required)

Not quite sure that I understood security in Laravel formats quite well. For example, if the form contains <input type="hidden" name="user_id"> then, obviously, the hacker can change the value before sending the update. Although I looked here in CSRF, I do not quite understand if the protection is enough?

eg. Accepting the above, if I go to the site and open the form for editing the record, I am allowed to view, but not change, and maliciously change the "user_id", is it sufficient that the form is protected with {{ csrf_field() }}or should I use some additional security, for example Crypt::encrypt($id), to hide user_id (stored in the database) and Crypt::decrypt($id)?

Is it bad practice to expose a string id (e.g. user id) in a client browser (although everything is sent via https)?

Many thanks

+4

security laravel

KevinY Dec 27 '17 at 18:49

source share

3 answers

Alexey Mezenin · Answer 1 · 2017-12-27T18:59:09+0000

No, this is not enough to use only the CSRF token. You also need to use policies, safeguards, middleware to protect your application.

In this case, someone can change user_idif you read it from the form and after that use it, therefore, to protect the data you need to use a policy such as this one: from the documentation ):

public function update(User $user, Post $post)
{
    return $user->id === $post->user_id;
}

, , auth()->id() auth()->user(), . .

Ayush Maheshwari · Answer 2 · 2017-12-27T19:00:39+0000

Laravel CSRF .

, Laravel . , ! :)

Rahul Reghunath · Answer 3 · 2017-12-27T19:01:12+0000

CSRF , , . Laravel , , csrf_field() Session:: token(). Laravel .

Laravel 5 / Form Security (clarification required)

More articles: