Level 13
There is one csrf token per session. Once the session timeout is reached a new one is generated. There are a multitude of posts on this topic. Take your pick.
Nov 21, 2015
5
Level 2
multiple valid CSFR tokens for multiple forms\post per page?
I have a page that dynamically loads multiple forms via ajax. Because of this, SOME forms have different csrf tokens, and from what I can see only the latest token is stored in the session, therefore I'm getting TokenMismatchException errors when submitting any previously created form.
(think of this page sort having multiple yes\no questions, as soon as you answer one question, it slides off the screen and another question is loaded, therefore multiple forms\ajax request and tokens)
- Should I load the main page with a csrf token and share it with all the dynamically created forms? (when will the original token expire)
- Is there a way to let laravel accept more than one token?
- Why would some forms share the same token, and others created later have different tokens?
- Short of disabling csrf for this URI, any other work-arounds?
Level 2
I've spent the better part of the evening searching before I posted this question.....
I went with the approach to add<meta name="csrf-token" content="{{ csrf_token() }}" /> to the head of the page and to grab that with the ajax request. The problem now is that after a few ajax post (literally just a few seconds), I'm getting a new session file being generated and therefore the token is stale. If I only have one browser tab open, why am I seeing multiple session files?
Level 2
I believe the problem was with debugbar. once I disabled it I stopped seeing the additional sessions being created.
I believe this is related.. https://github.com/barryvdh/laravel-debugbar/issues/310
Level 13
I run debugbar all the time. No issues. I track the token all the time. When it changes it is logged and new one is picked up via a JWT guarded get call. Just placing the token in the header and plucking it out does not always work. The session can expire the token and the one in the header is invalid. Have not fully traced what order it happens.
Level 5
You can solve this by inactive CSRF token for only one routes
Please or to participate in this conversation.