Updated Laravel 419 Guide

We've updated our Laravel 419 aka CSRF guide to reflect the latest default Laravel configurations.

It now expects _token to be a form field and gets the CSRF token there before logging in. You can see an example below of how we do this on LoadForge:

from locust import HttpUser, task, between
from pyquery import PyQuery

class QuickstartUser(HttpUser):
    # Wait between 5 and 9 seconds per request per user
    wait_time = between(5, 9)

    def on_start(self):
        response = self.client.get("/login")

        pq = PyQuery(response.content)
        elements = pq("input[name=_token]")
        for token in elements:
          csrftoken = token.value

        self.client.post("/login",
                         {"email": "user@domain.com", "password": "secr3t", "_token" : csrftoken})

    @task(1)
    def index_page(self):
        # Request /dashboard on your Host
        self.client.get("/dashboard")

The above snippet will go to /login and find the CSRF token. Then try to login as user@domain.com with the password secr3t.

Ready to run that test?
Start your first test within minutes.