Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I'm planning to add an alert for the user to continue their work or let the system log out their account due to inactivity. Does having a get route that points to a controller that only has $request->session()->regenerate()/invalidate() considered "safe"?
Should be a post, mine looks like this:
public function logout(Request $request)
{
Auth::logout();
$request->session()->invalidate();
$request->session()->regenerateToken();
return redirect('/');
}
Gotcha, thanks for the answer!
what problem are you trying to fix?
You want to pop up a notice that says ;
"hey, I know you have not looked at me for two hours, but do you want to stay logged in? Hello? Oh wait, you are looking at a different tab aren't you? Or maybe you have gone to bed?
It will work, but it’s not safe or recommended.
Invalidating or regenerating a session changes the application state, and GET requests should be read-only. GET routes are not CSRF-protected and can be triggered unintentionally (by browsers, bots, or malicious sites).
Use a POST route with CSRF protection for logout or session regeneration instead.
Route::post('/logout', function (Request $request) {
Auth::logout();
$request->session()->invalidate();
$request->session()->regenerateToken();
return response()->json(['message' => 'Logged out']);
});
Please or to participate in this conversation.