Framework: Csrf token is regenerated in the session after several Ajax requests in a short time

Created on 10 Mar 2016 · 9Comments · Source: laravel/framework

Hi,
i'm working on a Laravel 5.1 app where the user can upload many images (one by one).

the problem i have is the token is regenerated in the session after uploading couple images via ajax,
so the next image wont be uploaded because Laravel tries to compare the old csrf token (when i first opened new content form) with the new one regenerated in the session.
i dug into Laravel files and i figured out that the token is being regenerated by this function in
vendor/laravel/framework/src/illuminate/session/store.php file :

public function start()
    {
        $this->loadSession();

        if (! $this->has('_token')) {
            $this->regenerateToken();
        }

        return $this->started = true;
    }

here is an example :

click the images for a full screen

test part 1
img_ajax_upload

test part 2
img_ajax_upload2

Source

eissasoubhi

👍3 😄1

All 9 comments

does this also happen on laravel 5.2?

it-can on 11 Mar 2016

Sorry, this is a duplicate.

GrahamCampbell on 11 Mar 2016

👎7

@GrahamCampbell Which is it a duplicate of? #8172? That issue was closed, but not actually resolved. The same issue started occurring for me a week ago, and perusing the issues, it appears there's longstanding subtle concurrent session bugs for at least a year now. If this has actually been solved somewhere, I'd love to know the solution. Even a Laracast or forum post directing how to avoid it would be useful.

My personal guess is it's some sort of concurrency bug involving saving large amounts of session data in the terminate() method, which is after data has been sent out to client, so incoming requests are already hitting the server again. In my case, at least, it has nothing to with driver (tried memcache, apc, and file).

KingMob on 11 Mar 2016

Before i opened this issue i've googled it and i didn't find any convenient answer. just hacking ways.
so if this issue is duplicated and SOLVED, plz i'd love to know

eissasoubhi on 11 Mar 2016

I also experience this error.
I have a dynamic resize url for image, when the images are loaded my session is changed for every request and in the end not valid anymore.
Any solutions would be great.

nickbr5 on 15 Mar 2016

to solve that in my situation i just added the post URI to $except attribute of VerifyCsrfToken Middleware (AppHttpMiddlewareVerifyCsrfToken) .

see https://laravel.com/docs/master/routing#csrf-protection

eissasoubhi on 15 Mar 2016

So nobody want to solve this important issue. Also happening on redis or database session driver.

sebastianvirlan on 3 May 2016

maybe that has something to do with the browser, it works fine on Mozilla Firefox !

eissasoubhi on 9 Mar 2017

to solve that in my situation i just added the post URI to $except attribute of VerifyCsrfToken Middleware (AppHttpMiddlewareVerifyCsrfToken) .

see https://laravel.com/docs/master/routing#csrf-protection

This is not supposed to be a good solution, as that will open up many possibilities. For any post to db, a csrf token ought to be verified. I feel the best solution would be to create a route to refresh the tokens and pass the refreshed token to the meta header dynamically upon each Ajax request.