René Sinnbeck
I often experience that my csrf token has expired, when I want to do something. For instance I go in to make some changes to a deploy script, and when I click save I get a popup with "Csrf has expired", and I am forced to reload the page and start over.
Dennis
How can we simulate this behavior? I have never heard of this.
René Sinnbeck
Item authorThis is how I experience it. Login in with a browser (I use firefox) and leave it overnight. Click around to a page that has a form (deploy script or support ticket). Try posting the form.
I will take a screenshot the next time it happens :)
Edit: found a semi old post explaining the issue, and a workaround https://dev.to/grantholle/better-csrf-refreshing-in-laravel-and-axios-177c
René Sinnbeck
Item authorSeems it no longer shows the modal with the error. Instead it just redirects me to the dashboard.
Dennis
So that is good, right? Like kind of. This is happening, because your session expires, then the CSRF token won't match anymore and you'd get the modal.
René Sinnbeck
Item authorThe problem is that if I didn't remember to reload and just spend 20 minutes rewriting a deploy script, all of my work is lost. On a regular "none SPA" app, this isn't a problem as the csrf is updated when I click around the pages, but with inertia it does not.
Dennis
With InertiaJS it should also update to be honest, I'll check if I can see a workaround.
René Sinnbeck
Item authorSadly Inertia does not send a new csrf token in get requests. I posted a link to a workaround above :) You can perhaps just send a post request to /sanctum/csrf-cookie if you find the session is expired.
My guess is that it happens for me is that I have enabled "Remember me". So when my session expires, I would normally get logged out of the page when I click something. But laravel will instead create a new session, but not send csrf to the frontend like in a regular app :)
René Sinnbeck
Item authorI noticed that the page has something like
window.Ploi = {"csrfToken":"the-token"}
This is never refreshed when you click around the page. Yet inertia internally uses the cookie instead, and this is refreshed on every click as it should
const token = await cookieStore.get('XSRF-TOKEN')
console.log(token.value)
Automatic csrf refresh
-
Dennis moved item to board Under review
2 years ago -
René Sinnbeck moved item to project Panel Requests
2 years ago -
René Sinnbeck created the item
2 years ago