Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
When a user session is expired and the app is still open in browser, the app redirects to the login page when the user clicks a link in the app while not being authenticated any longer. So far so good. But I also have pages with FullCalendar, where certain JavaScript(!) functions are triggered by mouse click. Here, the function throws a 419 error (page has expired) and does not redirect to the login page but leaves the user with an error message.
What is the best way to handle this? I think it would be good to have the app automatically redirect to the login page once the session expires, so any 419 error could be avoided. Is this possible? If so, how to do this, does it need a job or event to make the app redirect itself once the session expires?
From my session.php:
'lifetime' => env('SESSION_LIFETIME', 60),
From my LoginController.php:
public function Logout(){
auth()->logout();
return redirect(’/login’);
}
XHR requests do not "understand" 3xx response status codes
Are you using a library for the XHR requests between FullCalendar and your server; you could examine the check the response and redirect (in JS) as appropriate. For example, axios has interceptors where you can interrogate the request or, in your case, the response - if the status code is 419 then you know you have a token issue, and can window.location off to the login page...
That's a good idea. I can get the code from jqXHR.status . What do I need these interceptors for, I could redirect directly in error: function(...) { ... }, no?
Nevertheless it would be awesome to have the app redirect itself to login without any click from the user...
A 3xx status code is not an error AFAIK, so the error handler will not deal with it.
You probably could use ajaxComplete as a middleware on the response to check for 3xx status codes and redirect to the provided URL (if available)
I think this could help you
https://talltips.novate.co.uk/laravel/csrf-and-expired-login-forms
@michaloravec are you suggesting that the OP keeps their session alive endlessly by refreshing their inactive auth-protected pages?
If the session expired the page will be refreshed, which means an user has to log in again.
Ah yeah... re-read that blog post 👍
Oh ok, you are right.
The example uses meta refresh, but does not appreciate that the user might have ajax requests going, which will extend the session. So the calendar would redirect to the login page after 2 hours even if the user had been interacting with the calendar for 1 hour (unlikely I know).
If the meta refresh reloads the same page, then if the session has ended then the user sees the login page, or if the session is still going (maybe they are busy in another tab) then the calendar will just reload.
I just included the idea at https://talltips.novate.co.uk/laravel/csrf-and-expired-login-forms on my index.blade.php with the calendar with a SESSION_LIFETIME of only 1 minute for testing purposes:
(...)
@section('content')
<meta http-equiv="refresh" content="{{ config('session.lifetime') * 10 }}">
<div class="content" style="border:0px solid green;padding-bottom:0px;height:auto;">
(...)
Result:
That's not the solution I am looking for, because my client would not like it at all to have a page reload for no obvious reason while working with the app. Moreover, the session never expires.
I have a feeling I have seen this so often on the web. Leaving an app open on the browser window for a while and then finding the login page when coming back, because session expired. How do they do that?
They do it as I wrote, however you need to think of it in the context of a 2 hour session.
Your code is clearly not correct as with what you have published the session.lifetime will be 60 x 10 will be 600 not 10 seconds. Sounds like you have set session.lifetime to 1
Each time they interract with the page then the session will be extended. As I mentioned, if they have been on the same page for 2 hours THEN the page will be refreshed the once. Only you know if someone will be working on your calendar page for 2 hours without reloading the page.
The alternative is that you write a javascript function to reload the page, but make sure you reset the timer on every interaction that the user can perform within the page. IE, if you send a javascript request then reset the timeout.
Ask Laracast https://laracasts.com/discuss/channels/laravel/redirect-after-session-expired
and thanks @mstnorris
it just keeps on refreshing whenever the time is out The refresh just extends the session and does never lead to the login page
@marktusiime no idea what you are talking about
Please or to participate in this conversation.