I have a website, and users are complaining they got Page Expired after being idle and if they refresh the website it is showing Page Expired. I tried searching and what I'm seing is Page Expired because of the #csrf but in my case I think it's not the problem.
It's working fine, but being idle for a long time is resulting in Page Expired
How can I prevent this?
Laravel version: 7.x
Server: Apache
EDIT:
Now I understand, that if the user is idle for a long time, the session is expired and the laravel is logging out the user. But in my logout it is a POST method as default of Laravel that's why it's page expired because of the token from #csrf
Logout:
<a class="dropdown-item" href="{{ route('logout') }}"onclick="event.preventDefault();
document.getElementById('logout-form').submit();">
{{ __('Logout') }}
</a>
<form id="logout-form" action="{{ route('logout') }}" method="POST" style="display: none;">
#csrf
</form>
first of all make sure you put csrf_token in your form
then you can follow:
as much as i know it is ok that laravel does this after being inactive for a long time
it is because some security problem.
but if you dont want it for some routes you can exclude your route (NOT RECOMMENDED DUE TO SECURITY) in :
app/Http/Middleware/VerifyCsrfToken.php:
protected $except = [
'your/route'
];
i didnt do it myself. test it and see it works or not but it should
Related
I would like to logout the page and redirected to the login page when the session expires in Laravel 7. Can any one please help me to do this? Thank you
There is normally this functionality implemented in Laravel. You need a POST request to the '/logout' route with (and therefore a csrf field in your request).
Usually you have in your blade a hidden form for that and a button or a link (it depends on what you use) that activates the sending of the form (with javascript).
For example, in the basic template of laravel we have this:
The form that is hidden:
<form id="logout-form" action="{{ route('logout') }}" method="POST" style="display: none;">
#csrf
</form>
The link used here to allow the user to log out:
<a href="#" onclick="event.preventDefault(); document.querySelector('#logout-form').submit();">
In Laravel 7 / blade app using "albertcht/invisible-recaptcha": "^1.9"
I added rule
'g-recaptcha-response' => 'required|captcha'
to pages with common access as login, regsiter, contact_us
and added captcha in for definition of all these forms, like:
<form method="POST" action="{{ route('login') }}" aria-label="{{ __('Login') }}">
{{ csrf_field() }}
#captcha('en')
Can I consider all these pages safe from externall attacks?
Have I to take some additive steps? If yes, which ?
Thanks!
All captchas will protect your forms only from spam attacks.
There are also many other ways for attacking which you may consider other methods for protecting your forms.
But captcha (even invisible-recaptcha) will protect your forms from spammers.
I have problems when submitting a form in Laravel application. It reported 419 error.
My code:
<form action="login" method="POST">
<input id="csft_pass" type="hidden" name="_token" value="{{ csrf_token() }}">
.....
</form>
I tried fixing it:
<form action="login" method="POST">
#csrf
.....
</form>
But still, error 419
With the above code still running normally, suddenly there was an error today
I tried many ways like php artisan cache:clear but still not solve the issue.
My Laravel version: 5.8
UPDATE: I tried a lot of solutions on stackoverflow but still can't solve it. I think that because the application's session has something wrong
After form tag use csrf_field.
{{ csrf_field() }}
And if you are using ajax you may pass csrf token on meta tag like.
<meta name="csrf-token" content="{{ csrf_token() }}">
You can use the csrf_field helper to generate the token field:
<form method="POST" action="/login">
#csrf
...
</form>
OR
<input type="hidden" name="_token" value="{{ csrf_token() }}">
It doesn't work, then Refresh the browser cache and now it might work.
Why required: Refresh the browser cache
When we update our application, a browser may still use old files. If you don’t clear your cache, Old files can access problems when you apply.
For more details open link :- Error - 419 Sorry, your session has expired
With the above code still running normally, suddenly there was an error today
This makes me suspect the error occurs only when the form was opened for more than two hours (that's the default of lifetime in config/session.php) before submitting.
If that's the case, you could set a value of more than 120 minutes as lifetime or do something in frontend to keep the session alive, such as some custom JavaScript (for single forms) as described in the selected answer to this thread or Laravel Caffeine (for whole apps)
Replace these lines
<input type="hidden" name="_token" value="{{ csrf_token() }}">
I have a problem in Laravel . when over and over submit Form with post method and somtimes I get error and see expire error that related to CSRF
anybody knows how can I manage this error that display not in site and instead of redirect to any page else ?
Laravel makes it easy to protect your application from cross-site request forgery (CSRF).
Just add #csrf blade directive inside the form to avoid getting csrf token error.
<form method="POST" action="/profile">
#csrf
...
</form>
The directive puts something like this
<input type="hidden" name="_token" value="CzK6peomC6Pnnqdm4NsxpdGSH6v1evDnbN12oL" >
Read more about it in the laravel documentation here https://laravel.com/docs/5.6/csrf
Regarding the expiration of the token I think you might want to handle the error this way https://gist.github.com/jrmadsen67/bd0f9ad0ef1ed6bb594e
Also, there's a package which helps the forms keep awake.
https://github.com/GeneaLabs/laravel-caffeine
I hope that helps.
Laravel 5 using Blades templates, it's easy.
Add csrf toke in your blade file
{{ csrf_token() }}
If you are using Laravel 5.6 then you need to add something like this in your code of the form
#csrf
Check in detail about: CSRF Laravel
My Flask app is AJAX-heavy, but does not use any cookies. Is CSRF still a threat or is it safe to deploy the app as of now?
I have already looked at this SO question but my situation is slightly different, since I do not have to worry about user's credentials.
I tried an AJAX call from Chrome DevTools (using $.ajax()) to my server which was running on localhost (Flask development server) and I got an error saying
XMLHttpRequest cannot load http://localhost:5000/_ajax. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'chrome://newtab' is therefore not allowed access.
Does this mean I am safe, or is it possible that a hacker could circumvent this and still make AJAX calls to my server?
CSRF isn't just protection against CORS AJAX. I could make a form on my site, and set the action to http://yoursite.com/account/delete. If a user submits my form, without CSRF on your site, the action would succeed. Or if you have things change on GET requests (shouldn't do that anyway), I could add this to my site:
<img src="http://yoursite.com/account/delete" />
and the action would happen when my page loads.
Check out Flask-WTF or this snippet: http://flask.pocoo.org/snippets/3/
EDIT
From your comment:
Change the action of that page to a POST, and have it be accessed through a form instead of a link. If your link was:
<a href="{{ url_for('my_page') }}">Click Here</>
Your form could be (using Flask-WTF, which you would need):
<form action="{{ url_for('my_page') }}" method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<input type="submit" value="Click Here" />
</form>