0

I'm using laravel 5.4. and I need handle some error. imagine user logged in and opened two windows (his profile). When user click on logout in a window, we have still logout button in another window, and by clicking on that, laravel will show csrf_token error page.

My logout in not ajax and its with submitting a form to /logout how can I handle this error with special message or redirect to home without error from logout controller? (not all of csrf_token errors, just from that controller).

logout form :

i will submit this form by clicking on logout button using jquery:

<form id="logout-form" action="/logout" method="POST" style="display: none;"> <input type="hidden" name="_token" :value="token"> </form>

And the logout method in controller :

public function logout(Request $request) { $this->guard()->logout(); $request->session()->flush(); $request->session()->regenerate(); return redirect('/'); }
Improve this question
1
  • 1
    I am also involved with this issue. Commented Jul 27, 2017 at 22:51

2 Answers 2

Reset to default
3

in App\Exceptions\Handler.php Return the user to the form with a new valid CSRF token, so the page will refreshed and logout button will not exist.

public function render($request, Exception $exception) { if($exception instanceof TokenMismatchException) { return redirect() ->back() ->with('your msg'); } return parent::render($request, $exception); }

this looking like, page was refreshed.

Don't Replace POST with Get. It will not Safe And Standard.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I used to handle this kind of problems with redirects but this answer gives "the right way"
1

One way is use GET for your logout. In fact use a simple <a href="/logout">logout</a> should be sufficient. So you change your route to use get and you can wave bye to the form.

Although, there might be different opinions about the METHOD to use but truthfully, this is sufficient.

Update

Isn't any way to manage errors just like what i said?

In my opinion, this is the best I would do for now. Otherwise to show special message when someone tries the logout route even though they are logged out, I will just do the following:

public function logout(Request $request) { if (!auth()->check()) { return redirect('/')->with('login_error', 'You are already logged out please login again'); // message can be retrieved in session() } $this->guard()->logout(); $request->session()->flush(); $request->session()->regenerate(); return redirect('/'); }

I will still not use post, since I am not creating any resource.

I hope this helps.

Improve this answer

8 Comments

There could be way to do that, but thats the best I can think of for now. Maybe you should simply change your form method to GET, then change the method in your route as well to GET, remove the token field from the form, then you don't need to use the <a href... I suggested
The advantage is that, you don't have to worry about it showing any error, and if you want to customize your logout message in this case then its easy. So that in your controller before anything, check if(!auth()->check()){ do something since you are already logged out } else just logout.
Did you change to GET?
oh yes . with get its working . why laravel used the post?? is post method more secure in this issue ???
Well, Post is more secure in this sense because it requires that you have to be logged in, and have ('csrf_token') before you can run that route, so that you can be sure the person accessing that route is the logged in user and not another person. But, in the case of logging out I don't think its really a problem, especially in handling this situation.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.