We had this issue on our website that we got CSRF errors randomly from our users. The session cookie and session data were set to be expired in 12 hours and session driver is set to use Redis. Further to our investigations we finally succeed to simulate the exception condition, so here is the scenario:
A user opens two different pages on the site, using Chrome browser with “open last closed tabs” setting on. One of the pages has a form on it (e.g. login) then the user quits the browser at some point. He reopens his browser next day (12 hours is passed so session cookie and session data are expired) Chrome tries to reload all the pages which were opened. It sends two simultaneous requests to the server while none of them has session cookie. At the server end Laravel generates two different session ID for each. Chrome receives them and overrides one on the other session cookie. Once the user attempts to submit the form (e.g. login), it generates CSRF error as the form session cookie is overridden.
We also had some AJAX post requests which we got failed CSRF errors due to this condition.
I was wondering whether or not Laravel can generate the same session ID for both requests in a secure manner.
Does anyone have any ideas how we can fix this issue?
P.S: we are using laravel 4.1 with this session configuration:
return array(
'driver' => 'redis',
'lifetime' => 720,
'expire_on_close' => false,
'files' => storage_path().'/sessions',
'connection' => null,
'table' => 'sessions',
'lottery' => array(2, 100),
'cookie' => 'laravel_session',
'path' => '/',
'domain' => '.ourdomain.com',
);
