Level 29
In general this should not happen, are you manually updating, using session values somewhere in application ?
Jul 12, 2016
10
Level 8
Sessions creating multiple sessions for the same user.
https://i.gyazo.com/410b39cd1269ac8a2467c49077ac774f.png
I'm not sure how sessions are supposed to work, so this might be fine, but after about 2 days trying to debug why I'm getting token missmatches at random within my app, I've narrowed it down to it being this. The token missmatches about 25% of the time which is annoying because every time I think I've fixed the issue because the form submits perfectly fine the other 75%, I go to work on another part of my app but then I have to keep coming back to try and fiddle with something when it fails.
I can navigate my app fine but every so often when I go to a page, it will create a new session. Which when I come to submit a form via AJAX causes the session token to not match the token that is on the page.
When monitoring the sessions table, if there is only one entry, then there is no missmatch, but when it creates a new one then it stops working.
From what I understand the session should overwrite the previous record for a user rather than creating a new one?
Can anyone confirm that there is something wrong with my sessions? Or should I continue to try and track down a potential cause?
Thanks.
Level 8
I haven't touched anything to do with sessions (that I am aware of) which is what lead me to posting here. I would've tracked it down to where I've done anything with sessions, but since I'm fairly sure I haven't get'd or set'd any session data its fairly strange to me.
Level 29
What are your session configurations, using sub domains ?
Level 8
<?php
return [
/*
|--------------------------------------------------------------------------
| Default Session Driver
|--------------------------------------------------------------------------
|
| This option controls the default session "driver" that will be used on
| requests. By default, we will use the lightweight native driver but
| you may specify any of the other wonderful drivers provided here.
|
| Supported: "file", "cookie", "database", "apc",
| "memcached", "redis", "array"
|
*/
'driver' => env('SESSION_DRIVER', 'file'),
/*
|--------------------------------------------------------------------------
| Session Lifetime
|--------------------------------------------------------------------------
|
| Here you may specify the number of minutes that you wish the session
| to be allowed to remain idle before it expires. If you want them
| to immediately expire on the browser closing, set that option.
|
*/
'lifetime' => 120,
'expire_on_close' => true,
/*
|--------------------------------------------------------------------------
| Session Encryption
|--------------------------------------------------------------------------
|
| This option allows you to easily specify that all of your session data
| should be encrypted before it is stored. All encryption will be run
| automatically by Laravel and you can use the Session like normal.
|
*/
'encrypt' => false,
/*
|--------------------------------------------------------------------------
| Session File Location
|--------------------------------------------------------------------------
|
| When using the native session driver, we need a location where session
| files may be stored. A default has been set for you but a different
| location may be specified. This is only needed for file sessions.
|
*/
'files' => storage_path('framework/sessions'),
/*
|--------------------------------------------------------------------------
| Session Database Connection
|--------------------------------------------------------------------------
|
| When using the "database" or "redis" session drivers, you may specify a
| connection that should be used to manage these sessions. This should
| correspond to a connection in your database configuration options.
|
*/
'connection' => null,
/*
|--------------------------------------------------------------------------
| Session Database Table
|--------------------------------------------------------------------------
|
| When using the "database" session driver, you may specify the table we
| should use to manage the sessions. Of course, a sensible default is
| provided for you; however, you are free to change this as needed.
|
*/
'table' => 'sessions',
/*
|--------------------------------------------------------------------------
| Session Sweeping Lottery
|--------------------------------------------------------------------------
|
| Some session drivers must manually sweep their storage location to get
| rid of old sessions from storage. Here are the chances that it will
| happen on a given request. By default, the odds are 2 out of 100.
|
*/
'lottery' => [2, 100],
/*
|--------------------------------------------------------------------------
| Session Cookie Name
|--------------------------------------------------------------------------
|
| Here you may change the name of the cookie used to identify a session
| instance by ID. The name specified here will get used every time a
| new session cookie is created by the framework for every driver.
|
*/
'cookie' => 'laravel_session',
/*
|--------------------------------------------------------------------------
| Session Cookie Path
|--------------------------------------------------------------------------
|
| The session cookie path determines the path for which the cookie will
| be regarded as available. Typically, this will be the root path of
| your application but you are free to change this when necessary.
|
*/
'path' => '/',
/*
|--------------------------------------------------------------------------
| Session Cookie Domain
|--------------------------------------------------------------------------
|
| Here you may change the domain of the cookie used to identify a session
| in your application. This will determine which domains the cookie is
| available to in your application. A sensible default has been set.
|
*/
'domain' => null,
/*
|--------------------------------------------------------------------------
| HTTPS Only Cookies
|--------------------------------------------------------------------------
|
| By setting this option to true, session cookies will only be sent back
| to the server if the browser has a HTTPS connection. This will keep
| the cookie from being sent to you if it can not be done securely.
|
*/
'secure' => false,
/*
|--------------------------------------------------------------------------
| HTTP Access Only
|--------------------------------------------------------------------------
|
| Setting this value to true will prevent JavaScript from accessing the
| value of the cookie and the cookie will only be accessible through
| the HTTP protocol. You are free to modify this option if needed.
|
*/
'http_only' => true,
];
Mostly default, I only changed expire_on_close (in an attempt to fix this issue) and then changed from the file driver to the database driver (in my .env) to further investigate the issue.
And no, no sub-domains.
Level 29
Hmmm, strange, is it true that this happens only when you have kept the page idle for sometime or completely random ?
Level 8
Narrowing it down, it seems to happen only on submitting POST requests to the same site, so to my knowledge, its not making a CORS request. If you want to take a look at the POST request (Apologies for the messy code, this bug made me put a bunch of debugging console logs):
/* global $, history, NProgress, toastr, gPjax, jsCookie */
function overrideSubmitButtons() {
$("form").submit(function(e) {
var form = $(this);
var formToken = $("input[name='_token']").val();
console.log("Form Token:");
console.log(formToken);
//To try and prevent CORS
var split = form.attr('action').split("/");
//console.log(split);
//console.log(('/'+split[3]+'/'+split[4]).replace(/\/$/, "").replace("undefined", ""));
console.log("Cookie Token:");
console.log(jsCookie("XSRF-TOKEN"));
$.ajax({
url: ('/'+split[3]+'/'+split[4]).replace(/\/$/, "").replace("undefined", ""),
type: form.attr('method'),
headers: { 'X-XSRF-TOKEN' : formToken },
beforeSend: function (xhr) {
var metaToken = jsCookie("XSRF-TOKEN")//$('meta[name="csrf-token"]').attr("content");
if (metaToken) {
console.log("Meta BeforeSend Token:");
console.log(metaToken);
return xhr.setRequestHeader('X-CSRF-TOKEN', metaToken);
}
},
data: form.serialize(),
success: function( response ) {
var flashMessage = $(response).filter("#js_flash_message");
//Add the flash
if (flashMessage != null){
$('body').append(flashMessage);
}
gPjax.loadUrl(form.attr('action'), gPjax.options);
},
error: function(XMLHttpRequest, textStatus, errorThrown) {
toastr["error"]("Please wait 5 seconds before trying again. If you navigate away from this page, be sure to save any unsaved work.", "Error: " + errorThrown);
$('input[type="submit"]').prop('disabled', true);
setTimeout(
function() {
$('input[type="submit"]').prop('disabled', false);
}, 5000);
var errors = XMLHttpRequest.responseJSON;
//console.log(errors);
}
});
//Prevent the default action
return false;
});
}
$(document).ready(function(){
overrideSubmitButtons();
$("#submit").prop("disabled", false);
});
$(document).on('pjax:complete', function(){
overrideSubmitButtons();
$("#submit").prop("disabled", false);
});
Level 29
I think you are confusing laravel with so mant headers here :) Assuming its a session enable route , Just add
{{ csrf_field() }} // in your form
// And just this would do, cookies will automatically be sent
$.ajax({
url : form.attr('action'),
type: form.attr('method'),
data: form.serialize(),
success : function() {},
error : function() {},
});
Level 8
That's the code I started from, then when I had this problem, I started experimenting with adding all the additional headers and such to see if I could fix it. I'll try it again with just what you've provided.
Level 1
How did this turn out @alig96 ? Do you remember your fix?
Level 1
Facing the same issue. It happens only one time when submitting a post request I was getting 419 error. then I checked the sessions table and I can see the first time I open the link a session data is added. Then when I submit the post request another session is generated. Hence causing 419 errors. This won't happen after this using the same incognito window. This issue is driving me crazy for many days. I am also getting "Redirecting to {page_link}" when I submit some requests don't know if this is related to the session. I had checked for spaces at the beginning of all PHP files and tried a lot of debugging. If anybody can help on this issue would be a great help.
Please or to participate in this conversation.