laravel 6 csrf token expired in every 60 seconds?

Question

I am using laravel 6.I Want my laravel CSRF Token expire in every 60 seconds.

config/session

'lifetime' => 60,

Answer 1

First of All, CSRF is stored in XSRF-TOKEN cookie. Ref: 50904763

According to the question (Ref: 51615122), We change the configuration in app/Http/Middleware/VerifyCsrfToken.php by adding a new method named addCookieToResponse

use Symfony\Component\HttpFoundation\Cookie;

public function addCookieToResponse($request, $response) {
    $config = config('session');
    $session_life = env('CSRF_LIFE');

    $response->headers->setCookie(
        new Cookie(
            'XSRF-TOKEN', $request->session()->token(), $this->availableAt($session_life),
            $config['path'], $config['domain'], $config['secure'], false, false, $config['same_site'] ?? null
        )
    );
}

where $config is used to get session information from existing lifetime. However, I parse $session_life from .env to make sure you can customize as much as you can.

So, the result is simple, configure everything as belongs but in area $this->availableAt($session_life) where session_life is in seconds.

So, please set session_life to 60 in .env as below:

CSRF_LIFE="60"

After you save and refresh your page, or clean cache and configs, Session LifeTime will be two hours but CSRF will be only 60 secs.

Hope this works.

Answer 2

After long testing I end up something, that you put in the lifetime option in session not allow to set expire time in seconds, it'll allow to minutes.

So, when you set up liftime = "60", it's means it will expire in 1 hour.

Hence, You have to set liftime = "1" in your config/session.pph file. Also, default value in .env file SESSION_LIFETIME=120 you have to replace that with 1 SESSION_LIFETIME = 1.

After that you have to clear the cache by command:-

php artisan config:cache

Now, your session will expire after 1 minute / 60 seconds.

To see more check this question.

Thanks, HaPpY Coding ?