Level 39
2 questions
Where Laravel suggest to regenerate the session at logout?
Why do you return to view logout?
Apr 25, 2021
10
Level 15
Session Regeneration creates annoying 419 error
Ok, I am using Laravel UI, not Breeze or Jetstream or Fortify. So on my logout function I clear the existing sessions and regenerate to avoid session fixation.
public function logout(Request $request){
Auth::logout();
$request->session()->flush();
$request->session()->regenerate();
return view('auth/logout');
However this is a pain, as when you go to login again later, the new session has of course timed out, and I get a 419 error, session timed out , which I have adapted to give a meaning full user message. But still, the user now has to close that specific webpage and create a new tab to login - what a pain.
So - the easy answer is just don't regenerate the session. But the Laravel docs suggest I should .... so do I have any better options? Can I just remove the session()->regenerate()?
Many thanks!
Level 15
https://laravel.com/docs/8.x/session#regenerating-the-session-id
view logout was put into place to avoid going straight to login. this was giving trouble at that time. And was a recommendation made to me a long time ago by snapey, who is #1 on the leader board.
Level 54
he is referring this, I guess, but this is regenerate the token instead of session....
https://laravel.com/docs/8.x/authentication#logging-out
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
/**
* Log the user out of the application.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\Http\Response
*/
public function logout(Request $request)
{
Auth::logout();
$request->session()->invalidate();
$request->session()->regenerateToken();
return redirect('/');
}
Level 75
@vincej I agree with @siangboon mine is also:
public function logout(Request $request)
{
Auth::logout();
$request->session()->invalidate();
$request->session()->regenerateToken();
return redirect('/'); // where ever here
}
So redirect somewhere other than logout, to a page not requiring a csrf token.
Level 122
whatever page you go to, if it has a form on it then this will be invalid if the session expires
tips here;
https://talltips.novate.co.uk/laravel/csrf-and-expired-login-forms
and
https://talltips.novate.co.uk/laravel/csrf-and-expired-logout-forms
Level 15
Thank you for all your replies.
I got to the bottom of the problem. In forming a logout page as recommended by @snapey years(?) ago, I stupidly used my master layout which included a csrf token. What should have done is simply created a simply clean HTML page. OK, so I fixed that.
On the controller which sends you to the logout page, I have still left in place:
public function logout(Request $request){
Auth::logout();
$request->session()->flush();
return view('auth/logout');
I looked up in the docs invalidate() and regenerateToken(). I do not understand the point of recreating the sessions or tokens. Surly that is exactly what I am trying to avoid. I read @snapey two articles, and maybe I am not understanding them fully, Ok, I get it some bad person might force a logout and then hijack the session. However, I do not see how they apply to my case. All I want is for the user to logout and everything is neutralised.
Level 39
Hi @vincej
If I sum up you understand that there is no need to regenerate session at logout (session is no more useful) and you can display a msg 'logout' after logout but not redo the logout form.
I do not see how they apply to my case
If your site has no critical data, you get forget this but if not it's a MUST* since it' (so easy) to get session id from user (social engineering, ...) people tends to protect their credential (password, key, ...) but don't understand than session id is a personal data, so people can share this with other during 'maintenance remote assistance', .... even worse, web site can put session id in url and people share 'screen capture' with this info ...
If you don't regenerate session (at login) , system tends to be lazy and re(attribute you the same session id, ...
*session destroy at logout is not a must, it's a good practice (to free memory)
Level 122
Vince
At logout, you just need to invalidate the user's session..Thats all there is to it.
Any csrf that is sent to any subsequent view will be new and for the new session and therefore should be perfectly functional.
When you go to login you should get a new form with a new csrf token.
If you are using Inertia/vue and not actually loading a new page then I can't really help you other than refer to the articles I mentioned earlier.
If the user logs out and then walks away, then returns more than 2 hours later then the session will have expired and any new POST requests will fail.
My "expired csrf and login" post recommends the page automatically reloads after 2 hours, this ensuring the browser always has a valid session.
Level 15
@snapey thanks for that Mark, That is how I understand things as well. srF7 suggests I need to specifically regenerate a new session at login. That does not makes sense to me.
Changing subjects - yes, I used Vue to mange a single page in this app where I have mountains of checkboxes ( as you know they are my nemesis!). However I have found Vue quite complex, and therefore not quite to solution to JS I had hoped so I am revisiting Livewire. Hope you're well.
Level 1
@snapey hi, I encountered error 419 page expired 'throw new TokenMismatchException('CSRF token mismatch.').'. i have a login and logout system with two different livewire component in the same page. when i put $request->session()->regenerate(); in the login component and $request->session()->invalidate(); $request->session()->regenerateToken(); in the logout componet, it started to throw this error. when i remove them there are no errors.
i look at docs and i understand that is the laravel_session value that have to change. so i access developer tool to look for cookie and i see that it change when i login and another time when i logout and everytime i click a button or link.
what i have to do?
Please or to participate in this conversation.