CSRF token mismatch randomly occurs with auth since installing Pulse #252
Comments
|
Are you using redis for session as well and did redis server memory usage maxed out when you faced this issue? |
|
I'm not using Redis for sessions, and memory usage of my Redis node has remained between 50%-60% continuously over the past 14 daya |
|
@sts-ryan-holton do you know if this is only happening to users that visit the I'm wondering if Livewire, which is used on the dashboard, is somehow causing the token to be regenerated or something. Have you anything custom in your application around generating / regenerating CSRF tokens? |
|
Also curious about what middleware is used on the Pulse route vs. the other routes |
|
This is happening on non-pulse routes. But I suspect Pulse might be causing this. For example, since I've got Laravel Fortifg and Sanctum in my project, if I try to log in via my front-end, it first makes a request to the sanctum csrf-token endpoint, but this occasionally fails and throws the mismatch error. This has only started happening since installing Pulse, and prior to this I've had sanctum/fortify in my project for the past 2 years no problem. I don't do anything custom with my tokens. |
|
Just jumping back in here, I've had several reports from customers within my platform since creating this issue. I've just experienced the CSRF token mismatch error again just now, here's something interesting:
However... Without setting |
|
Hello, i also have the same problem. When i have
only on login/logout process. my config is not cached but when i cache my config, and test, the error don't appear. I add that caching config not appropriate for my application needs. I have also run several time Pulse Version Laravel Version PHP Version Database Driver |
|
@waazibf are you also using Laravel Sanctum? This seems like it may be a different issue as you error is related to encryption and not CSRF expiration? |
|
Yes, I have laravel sanctum for API-side authentication. However, the problem only occurs when login/logout on the web. I initially thought it was due to the csrf but when I'm logged and handling other forms using the csrf, there are no problems. I have the impression that during login/logout, the application can't read the APP_KEY parameter of the env. However, when the config is cached the error doesn't occur during login/logout. |
|
I'm struggling to work out what could be causing this one. If either of you could create a reproduction repository, that would be much appreciated. I'm also wondering if maybe Pulse is silently discarding an exception of something under the hood that might shed some more information on the problem. Could you both add some Pulse exception logging and see if that gives you any further insights: https://laravel.com/docs/11.x/pulse#pulse-exceptions |
|
Unfortunately I'm not able to replicate this one. We are happy to dive into it, but will need some more information on the potential cause if anyone it able to do any debugging on the issue. Ping the thread if you have any insights and we can always reopen the issue. |
Pulse Version
1.0.0-beta5
Laravel Version
10.37.3
PHP Version
8.1.26
Livewire Version
Whatever Pulse is using
Database Driver & Version
Maria DB
Description
Recently I installed Laravel Pulse into my Laravel project. My Laravel project uses Laravel Sanctum and Laravel Fortify for authentication and registration. My Laravel project acts exclusively as an API backend to a Nuxt JS 2 front-end. My Nuxt front-end utilises v5 of the auth module.
Ever since I installed Pulse into my proect I've been seeing a few random "CSRF token mismatch" errors occur which I never saw prior to installing Pulse.
Steps To Reproduce
When I first saw the error, I couldn't log in at all, so I SSH'd into my server and set
PULSE_ENABLEDto false, ranphp artisan cache:clearand then I was able to log in again. I think there might be something wrong somewhere in Pulse which is conflicting with another package like Sanctum.I'm using the Redis ingest in my project, and saving pulse entries to my production database, I don't use a separate database. I do use a Horizon queue.
The text was updated successfully, but these errors were encountered: