I'm planning to add an alert for the user to continue their work or let the system log out their account due to inactivity. Does having a get route that points to a controller that only has $request->session()->regenerate()/invalidate() considered "safe"?
Should be a post, mine looks like this:
public function logout(Request $request)
{
Auth::logout();
$request->session()->invalidate();
$request->session()->regenerateToken();
return redirect('/');
}
Gotcha, thanks for the answer!
what problem are you trying to fix?
You want to pop up a notice that says ;
"hey, I know you have not looked at me for two hours, but do you want to stay logged in? Hello? Oh wait, you are looking at a different tab aren't you? Or maybe you have gone to bed?
It will work, but it’s not safe or recommended.
Invalidating or regenerating a session changes the application state, and GET requests should be read-only. GET routes are not CSRF-protected and can be triggered unintentionally (by browsers, bots, or malicious sites).
Use a POST route with CSRF protection for logout or session regeneration instead.
Route::post('/logout', function (Request $request) {
Auth::logout();
$request->session()->invalidate();
$request->session()->regenerateToken();
return response()->json(['message' => 'Logged out']);
});
Please or to participate in this conversation.