Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Leisly's avatar

Hi everybody !

CSRF Token is against Cross-Scripting, so against bot, isn't it ? There is a solution against bot : CAPTCHA. Why not ask the user to prove that he's not a bot by displaying a captha in a modal, then refresh the token with an AJAX Request?

What are you thinking about it?

dunas's avatar

I solved this by adding this at the :

what do you think?

mdaliyan's avatar

has any one solved this yet?

renewing csrf in a fixed period of time doesn't work well. there are so may reasons users open multiple tabs on their browser, renewing csrf breaks connectivity of other tabs.

1 like
afrayedknot's avatar

In Laravel 5.5 it now provides a TokenMismatch error page, and returns a HTTP status of 419: https://github.com/laravel/framework/pull/18728

So you can create a custom 419.blade.php to display a TokenMismatch error - or you can handle it in your own way.

Ajax/SPA applications can listen for the 419 response code and handle accordingly.

3 likes
froind's avatar

This is an issue that has been fixed in Laravel 5.3

I'm just posting this so that people using Laravel < 5.3 know how to fix it. You just need to paste the following method (found in above link)

addCookieToResponse

in

app/Http/Middleware/VerifyCsrfToken.php
Aasifkhan's avatar

I want to expire user session after 20 minute but issue is that i am calling ajax on every 5 second of interval and just because of that session is being updated and user is not logout after even after idleness of 20 minutes.

Does anyone knows any way that not update session variable on ajax call.

 Here is my session.php file  confuguration 
'lifetime' =>20,
'expire_on_close' => false,
boosuro's avatar

The solution that worked for me when user leaves the form for awhile with CSRF enabled for every request is to make a GET request in AJAX Success when request fails because token has expired. Then have a hidden field that continue to be updated with latest token and if at the time of making request it has expired you make a GET REQUEST to fetch latest TOKEN and then evoke click event on function that submits form which means the function has to be passed "this" or ID as part parameter.This makes the user not to realize the process of renewing token in the background

Previous

Please or to participate in this conversation.