9

Consider this scenario:

An application has a login route that is protected by Laravel's CSRF filter:

Route::group(array('before' => 'csrf'), function() {

    Route::post('/doLogin', array('as' => 'doLogin', 'uses' => 'MainController@doLogin'));

});

The application sits behind a load balancer, where each request is doled out randomly to either server01 or server02. Laravel is configured to persist sessions in a database, which is shared by both server01 and server02. The standard path to follow is: a user accesses /, enters their credentials into a login form, and submits those credentials to /doLogin, which checks the token, processes the credentials, and returns the user to / on error, or /home on success.

My question is this: since there's no guarantee that a user who accesses / on server01 will post to /doLogin on server01, will Laravel's built-in CSRF tokens work? Or since the token is stored in Session, will it work regardless of which server ends up being assigned by the LB?

tmountjr
  • 1,423
  • 2
  • 22
  • 38
  • I use redis for sessions across multiple load balanced servers, but csrf works perfectly irrespective of which server gets hit.... and I have specifically tested it by taking servers down between requests – Mark Baker Mar 29 '15 at 12:46

2 Answers2

5

CSRF will work regardless of which server it hits if session is shared between these servers.

Database, Cookie and memcached/redis session drivers are good.

File session driver should not work ususally.

CSRF token from client is compared with the one in the session.

menjaraz
  • 7,551
  • 4
  • 41
  • 81
Margus Pala
  • 8,433
  • 8
  • 42
  • 52
0

You should use cookie or database driver for session handling .

for more info read laravel session doc .

Emamie
  • 2,792
  • 1
  • 19
  • 17