feat: allow to rename xsrf-token

[Barbapapazes]

Hello 👋,

This is a following PR to the issue #56238.

It introduces a new configuration option xsrf-token in the session.php configuration file, allowing developers to customize the name of the XSRF token cookie. I'm unsure about the name of this field.

Also, I had to read the config from the static method serialized in the VerifyCsrfToken middleware. I'm unsure if this is the best way to do it, but it works.

[taylorotwell]

Thanks for your pull request to Laravel!

Unfortunately, I'm going to delay merging this code for now. To preserve our ability to adequately maintain the framework, we need to be very careful regarding the amount of code we include.

If applicable, please consider releasing your code as a package so that the community can still take advantage of your contributions!

[Barbapapazes]

Hey,

I can’t create a package for this, and if you check online, most of the workarounds are pretty bad. Not having built-in support for this is frustrating.

For reference, Symfony supports this option:
https://symfony.com/doc/current/reference/configuration/framework.html#cookie-name

Axios does as well:
https://axios-http.com/docs/req_config#:~:text=xsrfCookieName%3A%20%27XSRF%2DTOKEN%27%2C%20//%20default

And AdonisJS will be supporting something similar soon:
https://x.com/AmanVirk1/status/1943645932089688325

[rodrigopedra]

I had a similar need on a project and came up with the middleware below.

Note that as I just changed the cookie name, as the header is set on a per request basis from the frontend. So there should be no conflict.

If you need to also rename a request's header, you can try a similar approach.

Add this middleware before Illuminate\Foundation\Http\Middleware\VerifyCsrfToken, and change the $map array as you need.

<?php

namespace App\Http\Middleware;

use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Cookie;
use Symfony\Component\HttpFoundation\Response;

class RenameCookies
{
    protected array $map = [
        'XSRF-TOKEN' => 'MY-TOKEN',
    ];

    public function handle(Request $request, \Closure $next): Response
    {
        return \tap($next($request), $this->renameResponseCookies(...));
    }

    private function renameResponseCookies(Response $response): void
    {
        $cookies = $response->headers->getCookies();

        foreach ($cookies as $cookie) {
            if (\array_key_exists($name = $cookie->getName(), $this->map)) {
                $response->headers->removeCookie($name, $cookie->getPath(), $cookie->getDomain());
                $response->headers->setCookie($this->makeCookie($this->map[$name], $cookie));

                break;
            }
        }
    }

    private function makeCookie(string $name, Cookie $cookie): Cookie
    {
        return new Cookie(
            $name,
            $cookie->getValue(),
            $cookie->getExpiresTime(),
            $cookie->getPath(),
            $cookie->getDomain(),
            $cookie->isSecure(),
            $cookie->isHttpOnly(),
            $cookie->isRaw(),
            $cookie->getSameSite(),
            $cookie->isPartitioned(),
        );
    }
}