Level 122
delete your sessions (this will log everyone out), new sessions will use a new xsrf token
Jul 29, 2024
4
Level 4
Deleting the old XSRF-TOKEN after changing the SESSION_DOMAIN
I recently changed SESSION_DOMAIN in my app's env file so that the session data was accessible across our subdomains.
We changed it from domain.com to .domain.com
I've got a problem now: the old domain.com XSRF-TOKEN is still present in existing user's browsers and is causing 419 errors when they try to use the platform.
How do I remove the old XSRF cookie from their browsers?
I've tried Cookie::expire('XSRF-TOKEN', '/', 'domain.com') but strangely, this is only removing the .domain.com XSRF-TOKEN, not the domain.com one.
Level 4
@Snapey What's the best way to clear/delete all user sessions?
We're using the Cache (Redis) session driver
Level 4
@snapey Also, won't logging the user out attempt to clear the .domain.com XSRF-TOKEN since the SESSION_DOMAIN env var has been updated? Leaving the original domain.com cookie?
Level 122
@Corndog dont confuse session cookie with csrf. They are not the same.
Please or to participate in this conversation.