419 error code from time to time

[IsraelOrtuno]

I am getting a 419 error code from time to time but still not 100% sure of the pattern. I believe it's happening when Laravel may be clearing the session (which seems like can happen without control) but the frontend doesn't refresh the CSRF token.

I believe that some users may leave tabs open so they idle, then maybe come back a few hours later (or days) and submit a form without CSRF being refreshed. Not sure if thats the case.

My questions are:

• Should we be taking care of refreshing the CSRF token before certain actions?
• Maybe create an interceptor that captures 419 error and then refreshes?
• Is CSRF token supposed to be renewed after logout?

I feel like using cookie authentication can get broken really easy and for the amount of issues related to 419, seems like hard to configure and use properly.

Thanks in advance!

[manchenkoff]

Hey @IsraelOrtuno , thanks for raising this!

I believe it's happening when Laravel may be clearing the session (which seems like can happen without control) but the frontend doesn't refresh the CSRF token.

Even with a tab opened for a long time, it should work fine if you have an active session token for the user via remember me feature - it is handled by the module automatically as well. You can configure session lifetime in config/session.php or via SESSION_LIFETIME env variable. Try to reduce it to a couple of mins and see if that what is happenning. If that's the case, then refetching CSRF won't work because the session for the user is not active anymore and API does not know what CSRF is valid, so they have to log in with their credentials again.

I believe that some users may leave tabs open so they idle, then maybe come back a few hours later (or days) and submit a form without CSRF being refreshed. Not sure if thats the case.

This should not affect the work because if the cookie is not valid anymore (now() > expires_at), we simply can't read it and we refresh CSRF token by calling API. You can test it by manually deleting CSRF cookie from the browser.

Should we be taking care of refreshing the CSRF token before certain actions?

Not really, the CSRF cookie is returned from the Laravel API on every response. In cases when the cookie has already expired, the module triggers refetching automatically. Same as the behaviour I mentioned above.

Maybe create an interceptor that captures 419 error and then refreshes?

It may help, but it would be nice to understand what the exact cause is. If it fails with 419 because of a missing CSRF cookie in the request - it is one problem, but if we still have a valid cookie which is rejected by Laravel, this is a bit more complicated and even refetching might not solve the issue.

Is CSRF token supposed to be renewed after logout?

Yes, and it is also done automatically once Laravel returns a successful response on logout, so shouldn't be a problem.

---

I believe it may be related to TTL of the session/cookie on Laravel's side, so if you can reproduce this by tweaking the expiration param in config/sanctum.php or config/session.php, that would help to narrow it down.

[IsraelOrtuno]

I believe that too, I am trying to replicate it, will get back with more info! Thanks for the detailed response.