I would like to logout the page and redirected to the login page when the session expires in Laravel 7. Can any one please help me to do this? Thank you
There is normally this functionality implemented in Laravel. You need a POST request to the '/logout' route with (and therefore a csrf field in your request).
Usually you have in your blade a hidden form for that and a button or a link (it depends on what you use) that activates the sending of the form (with javascript).
For example, in the basic template of laravel we have this:
The form that is hidden:
<form id="logout-form" action="{{ route('logout') }}" method="POST" style="display: none;">
#csrf
</form>
The link used here to allow the user to log out:
<a href="#" onclick="event.preventDefault(); document.querySelector('#logout-form').submit();">
Related
I have a website, and users are complaining they got Page Expired after being idle and if they refresh the website it is showing Page Expired. I tried searching and what I'm seing is Page Expired because of the #csrf but in my case I think it's not the problem.
It's working fine, but being idle for a long time is resulting in Page Expired
How can I prevent this?
Laravel version: 7.x
Server: Apache
EDIT:
Now I understand, that if the user is idle for a long time, the session is expired and the laravel is logging out the user. But in my logout it is a POST method as default of Laravel that's why it's page expired because of the token from #csrf
Logout:
<a class="dropdown-item" href="{{ route('logout') }}"onclick="event.preventDefault();
document.getElementById('logout-form').submit();">
{{ __('Logout') }}
</a>
<form id="logout-form" action="{{ route('logout') }}" method="POST" style="display: none;">
#csrf
</form>
first of all make sure you put csrf_token in your form
then you can follow:
as much as i know it is ok that laravel does this after being inactive for a long time
it is because some security problem.
but if you dont want it for some routes you can exclude your route (NOT RECOMMENDED DUE TO SECURITY) in :
app/Http/Middleware/VerifyCsrfToken.php:
protected $except = [
'your/route'
];
i didnt do it myself. test it and see it works or not but it should
In Laravel 7 / blade app using "albertcht/invisible-recaptcha": "^1.9"
I added rule
'g-recaptcha-response' => 'required|captcha'
to pages with common access as login, regsiter, contact_us
and added captcha in for definition of all these forms, like:
<form method="POST" action="{{ route('login') }}" aria-label="{{ __('Login') }}">
{{ csrf_field() }}
#captcha('en')
Can I consider all these pages safe from externall attacks?
Have I to take some additive steps? If yes, which ?
Thanks!
All captchas will protect your forms only from spam attacks.
There are also many other ways for attacking which you may consider other methods for protecting your forms.
But captcha (even invisible-recaptcha) will protect your forms from spammers.
I have registration view for registration that is made by php artisan make:auth and when I fill the form and click submit button there is nothing happen
<form method="POST" action="{{ route('register') }}">
I haven't changed any thing in the form
I have a problem in Laravel . when over and over submit Form with post method and somtimes I get error and see expire error that related to CSRF
anybody knows how can I manage this error that display not in site and instead of redirect to any page else ?
Laravel makes it easy to protect your application from cross-site request forgery (CSRF).
Just add #csrf blade directive inside the form to avoid getting csrf token error.
<form method="POST" action="/profile">
#csrf
...
</form>
The directive puts something like this
<input type="hidden" name="_token" value="CzK6peomC6Pnnqdm4NsxpdGSH6v1evDnbN12oL" >
Read more about it in the laravel documentation here https://laravel.com/docs/5.6/csrf
Regarding the expiration of the token I think you might want to handle the error this way https://gist.github.com/jrmadsen67/bd0f9ad0ef1ed6bb594e
Also, there's a package which helps the forms keep awake.
https://github.com/GeneaLabs/laravel-caffeine
I hope that helps.
Laravel 5 using Blades templates, it's easy.
Add csrf toke in your blade file
{{ csrf_token() }}
If you are using Laravel 5.6 then you need to add something like this in your code of the form
#csrf
Check in detail about: CSRF Laravel
My Flask app is AJAX-heavy, but does not use any cookies. Is CSRF still a threat or is it safe to deploy the app as of now?
I have already looked at this SO question but my situation is slightly different, since I do not have to worry about user's credentials.
I tried an AJAX call from Chrome DevTools (using $.ajax()) to my server which was running on localhost (Flask development server) and I got an error saying
XMLHttpRequest cannot load http://localhost:5000/_ajax. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'chrome://newtab' is therefore not allowed access.
Does this mean I am safe, or is it possible that a hacker could circumvent this and still make AJAX calls to my server?
CSRF isn't just protection against CORS AJAX. I could make a form on my site, and set the action to http://yoursite.com/account/delete. If a user submits my form, without CSRF on your site, the action would succeed. Or if you have things change on GET requests (shouldn't do that anyway), I could add this to my site:
<img src="http://yoursite.com/account/delete" />
and the action would happen when my page loads.
Check out Flask-WTF or this snippet: http://flask.pocoo.org/snippets/3/
EDIT
From your comment:
Change the action of that page to a POST, and have it be accessed through a form instead of a link. If your link was:
<a href="{{ url_for('my_page') }}">Click Here</>
Your form could be (using Flask-WTF, which you would need):
<form action="{{ url_for('my_page') }}" method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<input type="submit" value="Click Here" />
</form>