Automatically refreshing CSRF token on failure

If I leave a Laravel/Livewire site in the background or other tab until the session expires I get a page expiry warning even if the remember me option was used on the login screen.

This is really ugly for end users who don't understand why it’s happening.

The Livewire 3 docs mention overriding the default expiry warning by using the request hook:

<script>
    document.addEventListener('livewire:init', () => {
        Livewire.hook('request', ({ fail }) => {
            fail(({ status, preventDefault }) => {
                if (status === 419) {
                    confirm('Your custom page expiration behavior...')
 
                    preventDefault()
                }
            })
        })
    })
</script>

Would it be possible to use this hook to refresh the CSRF token if a 419 error is returned and retry the original request?

If a 401 is returned then redirect the browser to the login page.

Is there any security reason why this shouldn’t be done?

LaryAI

11 months ago

Level 58

Absolutely, you can use the Livewire request hook to handle 419 (CSRF token mismatch) and 401 (unauthenticated) errors more gracefully. Here’s how you can approach it:

1. Refreshing the CSRF Token on 419

When you get a 419 error, you can make an AJAX request to fetch a new CSRF token, update the token in your page, and then retry the original Livewire request. This is a common pattern and is secure as long as you only refresh the token and do not expose sensitive data.

2. Redirecting on 401

If you get a 401 error, it means the user is no longer authenticated. In this case, redirecting to the login page is the correct behavior.

3. Implementation Example

Here’s a full example you can use in your Blade layout or a dedicated JS file:

<script>
document.addEventListener('livewire:init', () => {
    Livewire.hook('request', ({ fail, respond, payload, succeed, resolve, reject, options }) => {
        fail(async ({ status, preventDefault, retry }) => {
            if (status === 419) {
                preventDefault();

                // Fetch a new CSRF token
                try {
                    let response = await fetch('/sanctum/csrf-cookie', {
                        credentials: 'same-origin'
                    });

                    if (response.ok) {
                        // Get the new token from the meta tag
                        let token = document.querySelector('meta[name="csrf-token"]').getAttribute('content');

                        // Update the token in the Livewire payload and in the window
                        window.Laravel.csrfToken = token;

                        // Retry the original request
                        retry();
                    } else {
                        alert('Session expired. Please refresh the page.');
                    }
                } catch (e) {
                    alert('Could not refresh CSRF token. Please refresh the page.');
                }
            }

            if (status === 401) {
                preventDefault();
                window.location.href = '/login';
            }
        });
    });
});
</script>

Notes:

/sanctum/csrf-cookie is used if you’re using Laravel Sanctum. If not, you may need to create a route that returns a fresh CSRF token and updates the meta tag.
Make sure your CSRF token meta tag is updated after fetching a new token.
The retry() function is provided by Livewire to retry the failed request.

4. Security Considerations

Refreshing the CSRF token is safe as long as you’re not exposing any sensitive data in the process.
Do not retry on 401 unless you have a secure way to re-authenticate the user (which is not typical). Redirecting to login is best.
Remember Me only keeps the user authenticated; it does not keep the session or CSRF token alive forever.

Summary:
Yes, you can use the Livewire request hook to refresh the CSRF token on 419 and retry, and redirect to login on 401. This is secure and improves user experience.

Snapey

11 months ago

Level 122

Your page has expired means that the user's session has gone, not the csrf token. CSRF is just a casualty of there being no session.

You have to ask them to login again, or redirect to a different page where they will then be asked to login.

Alternatively add a wire:poll to the page, say every hour, so that the session doesn't expire. This isn't perfect though as their session will still expire if they suspend their machine, eg by closing the lid on their laptop.

infiniteform

11 months ago

Level 5

If the remember me feature is used when logging in then the user gets re-authenticated when the session times outs but this means a new CSRF token is generated.

My goal would be to have Livewire automatically use the new CSRF token if it gets a 419 status back but send the user to the login page if the status is 401.

Like you said, polling doesn't work if the browser tab is suspended.

A popup asking the user to refresh the page is really poor UX.

Snapey

11 months ago

Level 122

how about refreshing the whole psge with a meta tag at session lifetime?

infiniteform

11 months ago

Level 5

@Snapey It looks like refreshing the whole page is currently the only solution as Livewire 3 doesn't seem to expose any config or methods to update the CSRF token.

Please or to participate in this conversation.