2

I have an admin panel built in Laravel 5.8. Admins of the site fill out a complex form to create components that are visible on the front end. Filling out the form can take quite a while. The form is protected behind authentication guard.

The form typically works as expected, but from time to time submitting the form returns a 419 page expired error. The form has a CSRF token and does work in most cases. It is just in some cases when it returns the error.

The site uses the file session driver.

Here are some things I have tried:

  • Refreshing the CSRF token at intervals
  • Extending the session lifetime
  • Clearing the artisan cache
  • Having the user clear their browser cache

At this point I am at a loss if the client continues experiencing these issues. It is also extremely difficult to diagnose since there is no evidence in the logs and it seems to happen at random.

Does anyone have experience with CSRF tokens and long forms? Is there anything I can do to prevent this from happening?

Dave Olson
  • 148
  • 6
  • 1
    Your other option would be to exclude that route (which is not the suggested one)... it generally suffices to occasionally XHR post to any CSFR token protected route to keep the session alive. It seems as your attempts in fixing that didn't go so well, because it should continue the session in the first case and extend the session lifetime in the second case; while case three and four are rather useless. Just set a quite low session-lifetime for testing this, then it isn't difficult to reproduce the issue. – Martin Zeitler Oct 06 '20 at 14:27
  • @MartinZeitler Ok - Thanks for the link to that post. I used the ideas in that post to create my token refresh functions. What is stumping me at the moment is that the user (according to them) logs in, navigates to the form, spends about 15 minutes working, and then sees the 419 message. The token should have been refreshed several times in that time span. I believe I set it at something like every 5 minutes. – Dave Olson Oct 06 '20 at 14:59
  • @DaveOlson Setting the interval to 5 minutes might be too high. Another suggestion would be to use ajax to auto-save the form, or split the big form into smaller ones. Needing to spend 15 minutes to fill in a form sounds like too much and can easily lead to frustration when the user isn't able complete and has to restart from the beginning. – achillesp Oct 06 '20 at 18:09

0 Answers0