René Sinnbeck

René Sinnbeck

Under review

I often experience that my csrf token has expired, when I want to do something. For instance I go in to make some changes to a deploy script, and when I click save I get a popup with "Csrf has expired", and I am forced to reload the page and start over.

Dennis

Dennis

·

How can we simulate this behavior? I have never heard of this.

no votes yet
René Sinnbeck

René Sinnbeck

· ·

This is how I experience it. Login in with a browser (I use firefox) and leave it overnight. Click around to a page that has a form (deploy script or support ticket). Try posting the form.

I will take a screenshot the next time it happens :)

Edit: found a semi old post explaining the issue, and a workaround https://dev.to/grantholle/better-csrf-refreshing-in-laravel-and-axios-177c

no votes yet
René Sinnbeck

René Sinnbeck

·

Seems it no longer shows the modal with the error. Instead it just redirects me to the dashboard.

no votes yet
Dennis

Dennis

·

So that is good, right? Like kind of. This is happening, because your session expires, then the CSRF token won't match anymore and you'd get the modal.

no votes yet
René Sinnbeck

René Sinnbeck

·

The problem is that if I didn't remember to reload and just spend 20 minutes rewriting a deploy script, all of my work is lost. On a regular "none SPA" app, this isn't a problem as the csrf is updated when I click around the pages, but with inertia it does not.

no votes yet
Dennis

Dennis

·

With InertiaJS it should also update to be honest, I'll check if I can see a workaround.

no votes yet
René Sinnbeck

René Sinnbeck

·

Sadly Inertia does not send a new csrf token in get requests. I posted a link to a workaround above :) You can perhaps just send a post request to /sanctum/csrf-cookie if you find the session is expired.

My guess is that it happens for me is that I have enabled "Remember me". So when my session expires, I would normally get logged out of the page when I click something. But laravel will instead create a new session, but not send csrf to the frontend like in a regular app :)

no votes yet
René Sinnbeck

René Sinnbeck

·

I noticed that the page has something like

window.Ploi = {"csrfToken":"the-token"}

This is never refreshed when you click around the page. Yet inertia internally uses the cookie instead, and this is refreshed on every click as it should

const token = await cookieStore.get('XSRF-TOKEN')
console.log(token.value)
no votes yet

You may use @ to mention someone.

Automatic csrf refresh

2 total votes
Samuel Loft René Sinnbeck
  • Dennis moved item to board Under review

    4 months ago
  • René Sinnbeck moved item to project Panel Requests

    4 months ago
  • René Sinnbeck created the item

    4 months ago