Hi Pavel !
This video was so useful, but I am looking for answer for the following problem. I have a SPA with Larvel API and sanctum, and this problem is so annoying. The problem is:
I seem to be hitting a scenario where the CSRF token is validated before checking that the user is logged in.
So, if the user goes away for more than 2 hours then comes back and hits a link that requires them to be logged in, the Authenticate middleware runs and redirects them to the Auth\login page.
If however, they are on a form page, and they go away for more than two hours, the csrf token and the session token expire. Now they come back and fill in the form and press submit. This time, the csrf token is checked first and instead of being passed to the login page they see a Token Mismatch error.
I'm assuming that this is because VerifyCSRFToken is a global middleware and the Authenticate middleware is route. This affects the order that they are evaluated.
How can I handle this gracefully? What do others do?
Hi Pavel ! This video was so useful, but I am looking for answer for the following problem. I have a SPA with Larvel API and sanctum, and this problem is so annoying. The problem is:
I seem to be hitting a scenario where the CSRF token is validated before checking that the user is logged in.
So, if the user goes away for more than 2 hours then comes back and hits a link that requires them to be logged in, the Authenticate middleware runs and redirects them to the Auth\login page.
If however, they are on a form page, and they go away for more than two hours, the csrf token and the session token expire. Now they come back and fill in the form and press submit. This time, the csrf token is checked first and instead of being passed to the login page they see a Token Mismatch error.
I'm assuming that this is because VerifyCSRFToken is a global middleware and the Authenticate middleware is route. This affects the order that they are evaluated.
How can I handle this gracefully? What do others do?
Thanks your help !