15

I'm having single-page app made on Laravel 5.1. I use localStorage to keep API key and I don't need cookies. Laravel creates two cookies for me:

  • XSRF-TOKEN
  • laravel_session

If I set SESSION_DRIVER to array in my environment config, laravel_session cookie is no longer generated.

But I think there might be a problem with XSRF-TOKEN cookie, because I found out this piece of code in VerifyCsrfToken middleware class:

public function handle($request, Closure $next)
{
    if ($this->isReading($request) || $this->shouldPassThrough($request) || $this->tokensMatch($request)) {
        return $this->addCookieToResponse($request, $next($request));
    }

    throw new TokenMismatchException;
}

And addCookieToResponse method looks like this:

protected function addCookieToResponse($request, $response)
{
    $config = config('session');

    $response->headers->setCookie(
        new Cookie(
            'XSRF-TOKEN', $request->session()->token(), time() + 60 * 120,
            $config['path'], $config['domain'], false, false
        )
    );

    return $response;
}

It seems like it sets this cookie no matter what. I could disable this middleware, but I want to use it to verify CSRF token with HTTP headers. Can I disable cookies completely?

Robo Robok
  • 21,132
  • 17
  • 68
  • 126
  • 1
    If you are using laravel fro API using tokens, why not disable the VerifyCsrfToken middleware completely ? This uses cookies which you don't care about. You can disable by going to app/http/Kernel.php and comment the line – codegeek Nov 02 '15 at 16:13
  • just for more background information, what is the reason for wanting to disable cookies? – ExoticChimp Nov 02 '15 at 21:47
  • @ExoticChimp There is a law that makes it obligatory to inform user about cookies if you use any. I don't need them, so I would rather disable them and be free from that "We are using cookies" information :) – Robo Robok Nov 02 '15 at 22:01
  • First party cookies which are essential for a site to work are exempt and do not require you (EU cookie law) to inform the user (depending on their nature). The default Laravel session cookie would be exempt in this case. The laws were relaxed a while ago – ExoticChimp Nov 02 '15 at 22:07
  • Also, using local storage doesn't mean you don't have to gain consent. Local storage is also covered in the legislation – ExoticChimp Nov 02 '15 at 22:08
  • @ExoticChimp Yes I'm aware that local storage is also included in this law. Do I say "local storage" instead of "cookies" then? :) I need to dive deeper into this law and see what is included and what is excluded there. I find that law quite weird to be honest. – Robo Robok Nov 02 '15 at 22:20
  • 1
    yeah it seems to have caused quite a bit of confusion. Here is a good article to get you started: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm – ExoticChimp Nov 02 '15 at 22:42

4 Answers4

9

Simply comment out the lines in app\Http\Kernel.php which related to cookies and sessions. The following ones which I found;

\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,

Hope it helps.

ozanmuyes
  • 721
  • 12
  • 26
  • 1
    You can send CSRF token via HTTP header, of course, but you have to store the token on the client-side. So if you willing to disable cookies you have to figure out how to transmit and store the token received from back-end. Maybe localstorage come in handy to store. And also sending procedures is on you as well, i.e. setting proper HTTP header. – ozanmuyes Nov 18 '15 at 00:06
  • just use `` in the header and then use `headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') },` in ajax calls (jquery example). however, laravel still throws error `"Session store not set on request.",` and i don't know why – user151496 May 26 '20 at 10:19
3

As of 5.7.0 the XSRF-TOKEN cookie is now optional. In order to disable it you just need to set the following in your /app/Http/Middleware/VerifyCsrfToken.php file.

protected $addHttpCookie = false;

https://github.com/laravel/framework/commit/3ff7040663b81d8f01939edd2cb67d3214ec91b8

debite
  • 434
  • 4
  • 11
3

I've just tested this in Laravel 6.0.
To have CSRF middleware running, and Laravel adding no cookies you need to disable (comment out) the following middleware:

\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,

This will prevent Laravel from adding the laravel_session cookie.

To disable adding XSRF-TOKEN cookie, open up \App\Http\Middleware\VerifyCsrfToken::class middleware and set $addHttpCookie property to false

GTCrais
  • 2,039
  • 2
  • 26
  • 32
  • but when you don't use `StartSession`, you always get message": "Session store not set on request.", when doing some post request when trying to verifycsrftoken. i want to use session, but don't use cookies, like normal php `session_start()` no cookies needed. it is so ridiculous that this is so difficult in laravel – user151496 May 26 '20 at 10:16
0

Be careful, removing the StartSession middleware does remove the whole csrf token, as the csrf_token function fetch app('session')->token().

However, there's a line in the StartSession middleware when it tries to set the cookie and it checks if the driver is not null (sessionIsPersistent) but if I set it to null, I can't get past the "Unable to resolve NULL driver for Illuminate\Session\SessionManager

korko
  • 630
  • 5
  • 11