4

I have a problem where my AJAX request returns an error code 419. AJAX uses the method POST. I already use csrf_token() like:

<meta name="csrf-token" content="{{ csrf_token() }}">

$.ajaxSetup({
    headers: {
        "X-CSRF-TOKEN": $("meta[name='csrf-token']").attr("content")
    }
});

The AJAX request works when registering and logging out. But when logging in, my AJAX request returns a 419. And so, the error code 419 means the session has expired, so I thought my CSRF token was faulty.

I tried using different CSRF tokens for each and every AJAX request, still no luck. After digging around in the LoginController of the Auth method, I found that in the sendLoginResponse function (AuthenticatesUsers.php > AuthenticatesUsers > sendLoginResponse) the "session identifier" regenerates.

$request->session()->regenerate();

I tried removing the line of code, and sure enough the AJAX request worked. But then I read in the Laravel docs that it will "prevent malicious users from exploiting a session fixation attack on your application."

And thus, I didn't remove it.

I tried many other things that I won't bore you with, but while searching for a fix, I found an anomaly(?). I found that in the F12 menu, go to "Application", and take a look at the Cookies, I found that while logging in, the "laravel_session" named cookie changed 3 times, instead of twice when I logged out.

Jquery version: 3.5.1 PHP version: 7.4.7 For the SQL I use XAMPP v3.2.4 (i think)

EDIT:

I have done a few more things, I found out that if the session id is regenerated, the browser/ajax won't accept responses. Now, the error code of 419 also comes with the error message of "CSRF token mismatch", which might suggest a problem with the cookie that contains the session id information.

After searching around about this error message, I found that the session id is for authorizing the login information. And so with the session id regenerated, it might cause conflict with the previous session id when authorizing the login.

Though all of that is only speculation.

And in the end, it's all a bizarre instance and that I am also surprised that I didn't find anything like this anywhere on the internet. I don't think this is a problem with the AJAX requests or the default Laravel authentication methods.

By the way this is the command I used to install login authentication stuff.

composer require laravel/ui
php artisan ui vue --auth
Rep
  • 51
  • 4
  • Can you try the header X-XSRF-TOKEN (not X-CSRF-TOKEN). Hmmm, finished reading your question, thats not the issue, I dont think. – Kurt Friars Jul 17 '20 at 11:41
  • 1
    The session and xsrf are sent a long with every response, so the fact the Login controller regenerates the session should not affect anything. The middleware will act before the controller code runs and your session will not have been regenerated yet. So it is REALLY weird that "I tried removing the line of code, and sure enough the AJAX request worked. " – Kurt Friars Jul 17 '20 at 11:49
  • @KurtFriars I tried X-XSRF-TOKEN and it returned 500 with the message "The payload is invalid" – Rep Jul 17 '20 at 11:52
  • Can you dd() a stack trace from where the $request->session()->regenerate(); line is? And share it in your question? – Kurt Friars Jul 17 '20 at 12:00
  • @KurtFriars I'll see what I can do – Rep Jul 17 '20 at 12:13
  • it may also be worth trying to handle the 419 in the exception handler yourself and dd a trace from there. – Kurt Friars Jul 17 '20 at 12:15

1 Answers1

0

you have to use X-XSRF-TOKEN with token from XSRF Cookie, not the CSRF token.

if you are using Vue.

for more information : https://stackoverflow.com/a/64992490/9287628

Abilogos
  • 4,777
  • 2
  • 19
  • 39