CodingJungle Posted October 10, 2020 Share Posted October 10, 2020 I'm updating one of my apps, and it has a ton of ajax request, and i've done this in the execute method of my controllers: if( Request::i()->requestMethod() !== 'GET'){ Session::i()->csrfCheck(); } as all my POSTs are for state changes and my GETs aren't (so basically any http request that isn't a GET will hit the csrfCheck). from my testing, it appears to be effective, or should i be putting the csrfCheck into each method of the controller that needs to check it? Link to comment Share on other sites More sharing options...
Daniel F Posted October 10, 2020 Share Posted October 10, 2020 I guess it's fine, given it's only run in your own controllers where you're making sure to use POST requests for any state changes and any actions where data aren't just simply displayed to the user. Link to comment Share on other sites More sharing options...
Solution Martin A. Posted October 10, 2020 Solution Share Posted October 10, 2020 But nothing here stops me from creating and sharing a regular URL for these methods, creating a GET request for it. So I'm gonna say you do need it in every method. Or you need all state changing methods in its own controller where you run the csrfCheck regardless of request method. CodingJungle 1 Link to comment Share on other sites More sharing options...
CodingJungle Posted October 10, 2020 Author Share Posted October 10, 2020 2 minutes ago, Martin A. said: But nothing here stops me from creating and sharing a regular URL for these methods, creating a GET request for it. good point Link to comment Share on other sites More sharing options...
Recommended Posts