Problems with csrf_token Laravel

Asked

Viewed 308 times

1

Good understand the functioning of csrf_token but I’m having trouble with him. For example when I am about 5 minutes inactive without working on the site and try to log in, it informs me that I have a token problem.

inserir a descrição da imagem aqui

I have the following question:

  1. I would have some way to treat this error, so that it is not "spit" on my user’s screen ?
  2. Is there any way to reload this csrf_token from time to time so there are no problems with my user ?
  3. What is the correct way to use it, aiming that it is a site where is passive the user is inactive for a few moments, and taking into consideration how unpleasant it is to check an absurd error page.
php laravel-5

1 answer

5


1) I would have some way to treat this error, so that it is not "spit" on my user’s screen ?

Yes, not to show the error screen (debug) that developing is useful, but in production is unacceptable goes in the configurations (briefcase: config) in the archive app.php and make sure it’s like this:

'debug' => env('APP_DEBUG', false),

i.e., has a configuration file .env which is configured as true place false, in configuration APP_DEBUG:

APP_ENV=local
APP_DEBUG=false
APP_KEY=base64:nwMoa0Q1chP1ksbWx+5iIeg4R7fsPlVG8ZUUk8jKEwE=
APP_URL=http://localhost

with this setting, the error screen is disabled (debug).

2) Is there any way to recharge this csrf_token from time to time so there are no problems with my user ?

That’s a security factor, and I’m guessing that your session is expiring and with that, csfr_token has to be generated again (there is the relationship session with csrf_token). Check in the briefcase: config in the archive session.php how is configured lifetime which is usually 120 minutes ('lifetime' => 120). Factors of programação, erros server and client code(javascript), may, be factors that bring problem in the verification of csfr_token, he is one of the barriers (can’t be the only one) that protect your site from external attacks, check all the code that is being generated, possibly has errors that are not being observed. Want to load the screen from time to time can be a wrong alternative, I for example never had to do this with applications made with Laravel.

3) What is the correct way to use it, aiming that it is a site where is passive the user is inactive for a few moments, and taking into consideration how unpleasant it is to check an absurd error page.

As already explained in the item 1) can disable the screen debug (or error screen) of , and provide a more user friendly screen:

inserir a descrição da imagem aqui

this is the screen that appears when in the APP_DEBUG=false, and the code stays inside the folder vendor\symfony\debug\ in the archive ExceptionHandler.php.

With the debug the file that generates this information is Verifycsrftoken.php, code reading is very advisable for learning and confirming the structure of how it is created and how this is verified csrf_token.

Error line of middleware Verifycsrftoken.php, that is, in the decision (if) some of them or all return false.

  • 1

    I added the error image, and it actually occurs when the session expires.

  • Something nice is that when this happens if I keep pressing F5 on the error screen, it after a 3 try it enters :/

  • @Renanrodrigues is like I said this csrf_token it turns out to be a protection, maybe your code can say more than this error screen.

  • There would be no way I put the codes, due to the size of the same, I will try to do something with your example, and as soon as I discover something I share here.

Browser other questions tagged php laravel-5

You are not signed in. Login or sign up in order to post.