Level 7
@tebowner You may use a middleware to check session. If Session empty then redirect to your destination.
Jun 10, 2015
27
Level 2
CSRF token mismatch error on session timeout / form
A session timeout causes a Token error on a post. This is not a malicious attempt... I am looking for a way to redirect the user back to my login page anytime a session timeout occurs and they try and "do something".
Right now i get the error page in Production but no real error occurred. On a Session timeout - would be nice if the timeout could redirect to my login page and display message
Level 2
I do that ... but the CSRF check seems to occur before any of my middleware..
Do this ...
- set a low lifetime / timeout in config/session
- login to your app and go to a form with a submit
- let it timeout and submit your form
- I get Token error even before my middleware hits
??? i think so ???
Level 7
@tebowner Did you add this in your form
<input type="hidden" name="_token" value="{!! {{ 'csrf_token()' }} !!}">
Level 2
yes - automatically added using !! ... that is why i get an error - it is a timeout which loses the token - new token causes legit error.
Level 7
@tebowner , are You using illuminate/html ?
Level 2
its on a post, a get will redirect to the login fine.... its the issue of token mismatch being errorred out before other middleware
Level 5
I also get the same issue where if a form is idle for a while and I'd like to ideally redirect the user back to the login but instead I get a token mismatch error.
Also wondering how to handle the non-logged-in situations more elegantly where a user opens our contact form page (no login required) and comes back to it after a while to submit but it throws a token mismatch error.
Level 2
@mondovo yes! either way its the same issue. I can disable token checking but that doesnt really solve this issue. I have tried to look for answers ... saw something about changing the redirect on an error message to always point to login page but that isnt really what i want to do all the time
Level 2
@mondovo Have you found a fix for this? 5.1 seems to have same problem...?
Level 2
@mondovo Have you found a fix for this? 5.1 seems to have same problem...?
Level 52
You could add a bit of JavaScript with a timer that would refresh the page after a while on it (if sessions last 1 hour, make it 55 mins), that way, the session will not end?
1 like
Level 16
Hi @tebowner, I have addressed this problem (in a way I am comfortable with) here: https://github.com/GeneaLabs/laravel-caffeine
The way it solves the problem is by keeping the session alive on pages that have a token. Other pages will simply expire as usual. I would be interested to hear if there are any use-cases where this method is not appropriate (so that I can address that in the package as well)? The main reason I did not use redirect to the login page was to accommodate AJAX submitted requests. Perhaps there is a way to elegantly handle that, though, without loosing the form data.
Let me know how this works for you.
3 likes
Level 41
@tebowner You would have to use javascript to refresh the token after a certain amount of time. Otherwise, you would have to catch TokenMismatchException. Open app/Exceptions/Handler.php. You can then make the necessary changes like so:
use Illuminate\Session\TokenMismatchException;
public function render($request, Exception $e)
{
if ($e instanceof TokenMismatchException){
// Catch it here and do what you want. For example...
return redirect()->back()->withInput()->with('error', 'Your session has expired');
}
return parent::render($request, $e);
}
3 likes
Level 13
So when exactly to you get a new token?
Level 16
@jimmck With Caffeine for Laravel (see links above) I chose not to refresh the token through AJAX, because that could create a security vulnerability, opening your site up to attacks. Instead, I drips (caffeine) through regular pings to Laravel to keep the session alive.
Level 1
@thomaskim This worked perfect thanks! I changed it to redirect to the auth/login page. No one else mentioned to add the line below and it fixed it for me.
use Illuminate\Session\TokenMismatchException;
Level 1
@mikebronner Hello,
It looks like I'm going to use your package to solve this issue. But I think we faced this issue before the session get expired for example our session expiry is about 8 hours.
Do we still need to consider the redirect solution in case of non-Ajax requests while using your package?
Thanks.
Level 16
Hi @alexmansour,
The package is intended for use with standard (non-SPA) apps that make a request for page renders. It is not intended to work with SPAs -- I just wanted to clear that up before you get too deep into it.
You wont have to do anything special, it will do everything for you, all you need to do is install it, and it will keep the session alive via ajax calls to its own endpoint. This only happens on pages that actually have forms on them, as we want the session to expire on non-form pages, as per usual. (If you are trying to keep the session alive for all pages, simply increase the session lifetime in your config file.)
I hope this answers your questions somewhat? If not, don't hesitate to ask (and perhaps include a specific use-case to illustrate your point).
Let me know how it goes for you! Good luck :).
1 like
Level 1
Thanks for your reply @mikebronner
Is there any security concerns or use cases where it's not recommended to use this package?
Level 16
@alexmansour There shouldn't be any security concerns introduced by the Laravel Caffeine package. The only gotcha is that it isn't meant for single page apps (SPAs), as already noted. Other than that, you should be good to go. Let me know how it goes. In the worst case, you can just remove the package and you will be back to normal. :)
Level 1
@mikebronner Yes this is it, so it's worth trying it.
Thank you anyway.
Level 2
What to do if i also need to redirect back to login page even on pages with form when session expired ? I don't want to keep the session alive
Level 16
Hi @mikebronner,
I just installed laravel-caffeine package from - https://github.com/GeneaLabs/laravel-caffeine. Then added service provider class in config/app.php. (There is no related middleware in my Kernal.php.)
I tried to test my session to 1 (mean 1 minute). I open edit form page in my app, 1 minute later I submitted the form. The error "Token Mismatch" is still happening.
Is there anything else do I need to set up for this package?
Thanks!
Edited: I'm running on Laravel 5.1
Level 16
Hi @mgmk, please open an issue here: https://github.com/GeneaLabs/laravel-caffeine/issues
Level 16
Hi Mike (@mikebronner), I already solved the problem. This is because I put session to 1 min for testing.
Your package is working perfectly. Now I changed the session time and it's working.
Thanks for replay!
Level 16
@mgmk That's awesome, great to hear you got it running. :)
Please or to participate in this conversation.