How can we simulate this behavior? I have never heard of this.

This is how I experience it. Login in with a browser (I use firefox) and leave it overnight. Click around to a page that has a form (deploy script or support ticket). Try posting the form.

I will take a screenshot the next time it happens :)

Edit: found a semi old post explaining the issue, and a workaround https://dev.to/grantholle/better-csrf-refreshing-in-laravel-and-axios-177c

Seems it no longer shows the modal with the error. Instead it just redirects me to the dashboard.

So that is good, right? Like kind of. This is happening, because your session expires, then the CSRF token won't match anymore and you'd get the modal.

The problem is that if I didn't remember to reload and just spend 20 minutes rewriting a deploy script, all of my work is lost. On a regular "none SPA" app, this isn't a problem as the csrf is updated when I click around the pages, but with inertia it does not.

With InertiaJS it should also update to be honest, I'll check if I can see a workaround.

Sadly Inertia does not send a new csrf token in get requests. I posted a link to a workaround above :) You can perhaps just send a post request to /sanctum/csrf-cookie if you find the session is expired.

My guess is that it happens for me is that I have enabled "Remember me". So when my session expires, I would normally get logged out of the page when I click something. But laravel will instead create a new session, but not send csrf to the frontend like in a regular app :)

I noticed that the page has something like

window.Ploi = {"csrfToken":"the-token"}

This is never refreshed when you click around the page. Yet inertia internally uses the cookie instead, and this is refreshed on every click as it should

const token = await cookieStore.get('XSRF-TOKEN')
console.log(token.value)