Laracasts forum does not handle CSRF token expiry gracefully; login fails silently

Why don't you just get in the habit of always closing your browser if you leave the computer. Logging into laravel does not take that long.

Here is the solution for handling CSRF token expiration gracefully.

https://gist.github.com/jrmadsen67/bd0f9ad0ef1ed6bb594e

@somnathsah but OP is referring to the Forum itself.

@jlrdw This is a usability problem; the fact that I hit "Login" and "nothing happens" is inexcusable, in my opinion. Whatever actions I may or may not have taken on the site prior to attempting to login are irrelevant. Whether or not login functions correctly should not be contingent upon my browsing habits and for how long my browser has been open during any given session.

If you had built this website for a client, and the client told you, "Hey, people are trying to login and when they click the Login button, nothing happens," would you tell your client, "Oh, yeah, don't worry about that, just tell people to close their browsers every time they finish using their computers and this won't happen." I hope not.

@somnathsah That advice is sound, in general, but using redirect()->back()->withInput() in this instance would be inappropriate, and provide a poor user experience, because the login form is presented in a modal dialog. A proper fix for this issue must utilize AJAX.

Yes @jirdw this is about the forum :-), but in case someone want to handle this error.

@cbj4074 we can implement a JS code which will logout from the site after the session time gets expired, redirect to login page and replace the login page with button something like "login again" which will refresh the CSRF token.

I agree it's not a good solution. It's bugged me for awhile (laravel in general, not this site specifically).

Even if not using ajax... if you have a form that submits to a different url (like you should), and you let that form sit there until the token expires and then try to submit the form, you get the message that the page is expired and to refresh the page. However, in that situation, if you refresh the page, it resends the form with the expired token again and the user is stuck there in a loop with no idea of why it's not working. They are doing what the message said and refreshing the page. Remember, we're on the url that the form submits to, which isn't a page, it's accepting a POST (etc) request.

They (regular users) don't know about sessions or anything, nor should they. It's a very poor ux problem. @jlrdw It's not enough to tell users they should be logging out every time. That's not realistic. Government/sensitive job? Hell yes. A site for the public? No.

@somnathsah That's a pretty good solution, but as @cbj4074 mentioned it won't work for all situations. I guess it should check if the request was ajax and return a 422 response with validation errors (just like if validation fails and the request was made with ajax), and if not, return the redirect with input.

@somnathsah That won't solve the problem, because in the use-case I describe, I had never logged-in to begin with. I had come to the site, left it open overnight, and then tried to login the next day without refreshing the page first. It should not be the user's responsibility to "always remember to refresh the page before you try to login!"

Furthermore, the lack of an error message when login fails due to an expired CSRF token is unacceptable. This seems obvious, but some kind of error message should accompany any form submission failure in a web application.

This is easy to fix. And there is no need even to show an error message.

As I said in the OP, when the user submits the login form, check the response in JS for a token expiry error. If such an error is present, make another AJAX request to the server to request a new CSRF token, and then in the callback, update the login form with that new token, and re-submit the form automatically.

This fixes the issue, in all scenarios, and it's completely transparent to the user.

poor user experience

I am not totally disagreeing, however coming from business programming and not a user experience programming, I firmly believe in every system a user should log out if leaving the computer.

On a State of Texas employee computer you broke the law if you did not log out.

To me that should be a web standard not an option to have to log out.

And I could care less what a client wants, If a client has that kind of mindset and and does not understand the importance of logging out I would not even want such a customer.

I have done well enough that I can pick and choose.

To me that's no different than never trust a user input.

But again I don't totally disagree if you want to program a non logout system, that's fine.

@jlrdw That all seems like an irrelevant corollary. We're talking about coming to this site, doing something else for a couple of hours (or however long the CSRF token expiry might be), and then trying to log in and the process failing without explanation.

Agreed Jeffrey should do a fix.