Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

kovbo's avatar
kovbo
OP
8 years ago
Level 1

Laravel 5.6. The page has expired due to inactivity problem after ajax login.

I created a form which is public. However, it requires the user to be logged in before it can be submitted.

Basically, I combined 2 forms on the same page: login form, and the main form.

I'm using AJAX to authenticate user, and sending the main form on success without refreshing the page.

$(function(){
                        $('#login-form').submit();
                        $('#login-form').on('submit', function(e){
                            e.preventDefault();
                        });
                    });
                    var loginForm = $("#login-form");
                    loginForm.submit(function(e){
                        e.preventDefault();

                    var loginData = loginForm.serialize();

                    $.ajax({
                        type: "POST",
                        url:'/login',
                        data : loginData,
                        success : function(data){
                            
                            $("#main-form").submit();

                        }

                    });
                });

It works fine with Laravel 5.5, but Laravel 5.6 gives me "The page has expired due to inactivity" error. Authentication works fine, and the user is logged in after refreshing the page. But the form cannot be submitted without refreshing the page.

Trying to submit the form using AJAX request after AJAX login console shows 419 error.

Of course, I'm using {{ csrf_field() }}. The form contains _token field.

Moreover, it works fine when I try to register a new user, and submit the form on success. Form submits successfully, and it belongs to a user.

It also works fine if I disable csrf protection for my main form route.

But how can I solve this problem with scrf? Maybe I have missed something?

0 likes
4 replies
Snapey's avatar

when you log in, the session is regenerated so any previous csrf token is no longer valid.

I would be very surprised if this worked in 5.5 either

kovbo's avatar
kovbo
OP
8 years ago
Best Answer
Level 1

Thank you, @Snapey , you are right.

Laravel has sendLoginResponse function which regenerates user's session.

protected function sendLoginResponse(Request $request)
    {
        $request->session()->regenerate();

    $this->clearLoginAttempts($request);

    return $this->authenticated($request, $this->guard()->user())
            ?: redirect()->intended($this->redirectPath());
}

You can override this function inside LoginController.php, and either delete this line: $request->session()->regenerate();, or return the new token:


protected function sendLoginResponse(Request $request)
    {
        $request->session()->regenerate();
        $this->clearLoginAttempts($request);
        if($request->ajax()){
            // If request from AJAX
            return [
                '_token' => Session::token(),
            ];
        } else {
            // Normal POST do redirect
            return $this->authenticated($request, $this->guard()->user())
                ?: redirect()->intended($this->redirectPath());
        }
    }
fh-jashmore's avatar

Does anyone know if there is a security risk for deleting the $request->session()->regenerate() line?

Snapey's avatar

@fh-jashmore Personally I would stick to regenerating, but perhaps the session data could be copied across since

$data = $request->session()->all();

will return anything that has been tucked away in the user's session. Perhaps grabbing this, regenerate session and then put it back?

Please or to participate in this conversation.