I'm facing a crazy problem, I've a website running on production and I'm trying to cache my index page using "Page Rules" from cloudflare to speed it up, it does not have dynamic content right now.
The problem is that it does not work probably because laravel always return the view with the XSRF-TOKEN and cloudflare will understand it as not-cachable, I already changed the header (cache-control: max-age=36000, public) but cloudflare always return the header "cf-cache-status: BYPASS) when it should return HIT.
When i try to use the same rule on a file from laravel public folder (the same php file of the view) it works ok and returns HIT.
The solution I can think is trying to remove this XSRF-TOKEN from the header response, but I'm going crazy on how to do this, any tips?
Obs: i tried removing those cookies using
\Config::set('session.driver' , 'array');
\Config::set('cookie.driver', 'array');
But this remove only one cookies not the XSRF-TOKEN one.
I believe you have to remove the CSRF token on pages you want to cache, or implement some sort of JavaScript solution where the CSRF token is being requested the moment you need it.
I found this article that explains your situation (bottom of the article):
https://blog.cloudflare.com/the-curious-case-of-caching-csrf-tokens/
If you are sure that your page does not need the CSRF token (i.e. it doesnt contain any POST/PUT/DELETE functionalities), you can remove the token for that particular page and be fine.
In Laravel, the CSRF-token is managed by \App\Http\Middleware\VerifyCsrfToken, which should be listed in your middleware in \App\Http\Kernel. Removing this middleware will remove it for all routes that use that middleware; so you'll likely have to create a separate middleware-group for pages where you do need CSRF protection.
You might also be able to add to the protected $except = [] property on your VerifyCsrfToken middleware class. This property contains an array of urls that should be excluded from CSRF verification. So you could add '/' to that array, or a wildcard like '/webhook/*'.
Related
In this website everything is working fine,
but when we load the website in a iframe then the everything is working but the pagination is not working.
Main Website: https://dropflo.thrivedeskdocs.com/en
Inside Iframe: https://iframetester.com/?url=https://dropflo.thrivedeskdocs.com/en
Recreate the issue: Go to the iframetester url, then go to "Getting started page" then scroll down to bottom, click page no 2. The page will not change.
There seems to be an issue with your URL generation.
The URL in your pagination links uses http instead of https.
Be sure to set your APP_URL .env variable to the correct URL, with the correct scheme:
// .env
APP_URL=https://dropflo.thrivedeskdocs.com
If that alone does not work (though it should, after clearing your configuration cache) try adding the following line to your AppServiceProvider:
\URL::forceSchema('https');
It may be a good idea to set it inside a conditional so that it only runs on certain environments. Maybe something like this:
if (parse_url(config('app.url', 'http://localhost'), PHP_URL_SCHEME) == 'https') {
\URL::forceSchema('https');
}
On a related note, you should also make your page automatically redirect any http requests to the https version of the same request.
https://growhackscale.com/blog/301-redirect-http-https
I am using [statikbe/laravel-cookie-consent] package for cookie policy in my Laravel project and I don't want the modal to be shown on certain pages, so I must add the route to ignored_paths array in the config file. For a route as 'admin/users' every thing is fine but for a route as 'admin/user/{id}' it doesn't work. How can I fix it or how can say all the routes which start with '/admin' don't show the cookie policy?
I am facing token mismatch issue in new server while working fine in localhost. I have tried every possible way to clear cache and give SESSION_DOMAIN path in env but all seems useless.
Also session cookies are not being created in web browser while creating in storage/framework/session folder.
Please help me !
Are you getting tokenMismatchException exception?
If yes, some of the possible reasons are:
Check your files for PHP end tag "?>", if exists remove it. For more detail refer to this link.
You may need to use web middleware. For more detail refer to this link (although it is about laravel 5.2 but, it may work for your situation too).
Another thing to try is checking for web middleware presence. Normally it should be automatically applied to routes/web.php
Route::group(['middleware' => ['web']], function () {
<routes>
});
Also check out https://laravel.com/docs/5.3/upgrade to see if you have any code that might have been influenced by this update.
And lastly, it would be nice if you could post a piece of code which is responsible for sessions in your app.
Im using Laravel 5 with CKEditor and Elfinder to create a WYSIWYG editor in a CMS. Ive got the file browser up and running, but i cant get the file upload to work. I have the upload tab, but when I click Send to Server I get the following:
TokenMismatchException in VerifyCsrfToken.php line 46:
Any ideas why this is happening?
UPDATE
I removed verifyCsrf from Kernel.php which removed that error specifically. It did, throw a new exception, but I'll save that for a future question. Ultimately, I dont want to disable csrf across the board just for image uploads. So I thought I could exclude the routes:
/app/Http/Middleware/VerifyCsrfToken.php:
class VerifyCsrfToken extends BaseVerifier {
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'elfinder/*'
];
I am assuming all elfinder routes run under a elfinder prefix, although I don't have any evidence to back this up. The documentation is not too clear on the routes that run during upload. Welp....this doesn't work either.
So a followup: Is this the right direction? Anyone know the exact routes that get run on Elfinder?
UPDATE 2
Using this article I created my own VerifyCsrfTokenCustom class and was able to disable CSRF on Elfinder only. There seems to be a routing issue for a get/post route, but I think that should be a new question.
This is CSRF protection. You can either pass token to Ckeditor or in app\Http\Kernel.php you might comment line with VerifyCsrfToken in $middleware property and this way you will turn off CSRF protection.
I currently have a domain landing page which I want to get rid of. The landing page (mydomain.example) links to a blog and a Magento store (mydomain.example/store) but I want to the domain to link directly to the Magento store.
I set up a redirect using my hosting company's domain redirect tool on mydomain.example to mydomain.example/store, but this results in a redirect loop mydomain.example/store/store/store/store etc.
Should I be setting up a redirect anyway? It makes more sense to me to just set my Magento storefront as mydomain.example and get rid of the /store on every page within the store.
I decided that a redirect was not the answer here, so I moved the Magento store from the subdirectory /store to root. I followed these instructions:
http://www.crucialwebhost.com/kb/move-magento-to-another-directory/
But I copied files from store rather than moved them. This way you can revert back quickly if anything goes wrong.
Simply create index.html that contain this meta tag.
<meta http-equiv="Refresh" content="1; url=http://www.example.com/store">
Change example.com to your domain.
First you need to add jQuery core library and jQuery Cookies library on your WordPress site:
jQuery Library
jQuery Cookie library
Then use this jQuery code in the header.php file.
var redirectStore = jQuery.cookie("redirect");
if(redirectStore!="yes") {
jQuery.cookie("redirect", "yes",{path:'/'});
window.location= "http://www.mydomain.example/store";
}
It is checking if a "redirect" cookie is already created or not. First time users will not have this cookie. Then it redirect to mydomain.example/store and creates the cookie. If the user comes back to blog site while visiting store then it will find the redirect cookie to prevent an infinite loop.