CSRF icon in angular is different from Laravel 5

I have a project split into backend and frontend, the backend (API) is built in Laravel 5 and the frontend in AngularJS. Both projects are independent and must be hosted on different servers.

In the first request, I am getting the CSRF token from Laravel with this code:

var xhReq = new XMLHttpRequest();
xhReq.open("GET", "http://laravel.local/api/token", false);


So CSRF_TOKEN is sent every time I make an API request like:

    $scope.deleteTodo = function(index) {
    $scope.loading = true;
    var todo = $scope.tours[index];
    $http.defaults.headers.common['XSRF-TOKEN'] = CSRF_TOKEN;
    $http.delete('http://laravel.local/api/deleteTodo/' + todo.id, {headers : {'XSRF-TOKEN': CSRF_TOKEN}})
        .success(function() {
            $scope.todos.splice(index, 1);
            $scope.loading = false;



The API always returns:

TokenMismatchException in compiled.php line 2440:


Is it correct that Laravel changes the CSRF token with every request from Angular? On every request, Laravel creates a new file for storage / framework / sessions. Do you recommend any other solution for verifying that API requests are coming from a secure origin?


source to share

1 answer

In token-based authentication, cookies and sessions will not be used. The token will be used to authenticate the user for each request to the server. It will use the following control flow:

  • The user enters their username and password in the login form and clicks the "Login" button.
  • After the request is made, validate the user on the server by querying the request in the database. If the request is valid, create a token using the user information retrieved from the database and then return that information in the response header so that we can store the token browser in local storage.
  • Provide token information in each request header to access restricted endpoints in applications.

4.request header information is valid, allows the user to access the specified endpoint and respond with JSON or XML.

This can be achieved by Jwt (Json web Token). Enter this information from this link.

So what is this JWT?


JWT stands for JSON Web Token and is the token format used in authorization headers. This token helps securely construct communication between the two systems. Let's rephrase JWT as "bearer token" for the purposes of this tutorial. The bearer token consists of three parts: header, payload, and signature.

  • The header is part of the token that supports the token type and encryption method, which is also base-64 encrypted
  • The payload includes information. You can put any data like user information, product information, etc., all stored using base-64 encryption.
  • The signature consists of combinations of a header, payload, and secret key. The secret key must be securely stored on the server side.

A tutorial with an example can be found here Token Based Authentication with AngularJS and NodeJS .

Hope this solves your problem, all the best!



All Articles