[4.2] CSRF Token is regenerated on high request frequency #6777

esbenp · 2014-12-22T22:27:06Z

When a high amount of requests (8+) is made to my app with a high frequency (within 5-8 seconds) my CSRF token is regenerated at some point. I cannot seem to find the cause in code nor anywhere debated in documentation. I did however find a similar, unanswered question on SO from September http://stackoverflow.com/questions/25725940/laravel-4-2-generates-new-csrf-token-depending-of-requests-frequecy

I have successfully replicated the issue in this repository https://github.com/esbenp/Laravel-Session-Bug . Beware, the bug is occurring very randomly, meaning on some tries it has successfully executed 50 request with same token whilst on others the token has changed at some point. Sometimes even multiple times.

Below is an excerpt from the demo log showing the X-CSRF-Header, the Session::getToken() value and the session id for 50 requests made within a short period of time (2 seconds).

[2014-12-22 22:19:07] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:07] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:07] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []

[ ... 20 similar results ... ]

[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'Lmj4DlV92FRCIjEyrOEepJvFhPbhvVRlsnHnZAmA',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'Lmj4DlV92FRCIjEyrOEepJvFhPbhvVRlsnHnZAmA',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []

[ ... 2 similar results ... ]

[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []

The text was updated successfully, but these errors were encountered:

barryvdh · 2014-12-23T09:34:20Z

What session driver are you using? File? Can you test with other drivers, eg. database?

esbenp · 2014-12-23T11:37:06Z

Yes, I am currently using file driver. I will test with others later in the day and get back to you with results.

esbenp · 2014-12-24T02:36:03Z

I tried changing to database driver @barryvdh . This causes duplicate entry problems. I am making 10 AJAX requests, at the same time, to my Laravel application from my app. This caused 5 rows to be made in the sessions table.

4/5 red requests failed due to duplicate entry. The 5th one failed due to TokenMismatch

bonzai · 2014-12-25T23:44:05Z

I can confirm it too (using Laravel 5 and file driver).

GrahamCampbell · 2014-12-26T12:39:12Z

Can anyone send a pull to fix this?

barryvdh · 2014-12-26T15:19:32Z

Does anyone know what is causing this then? Or what the proposed fix is?

Could it have to do with multiple writes/reads to the session? But reading the CSRF token should just read the session, not write it, right? So not sure why it would be lost..

henrikromby · 2014-12-28T14:29:40Z

I have observed an issue where users would be logged out of my app if they sent too many requests in a short time (using AJAX). Never found the cause, but maybe it could be related to this issue?

barryvdh · 2014-12-30T10:56:37Z

Probably related to #5416 and similar?

Did this always happen, or just recently? And are you writing to the session on every request?

avi123 · 2014-12-30T20:21:01Z

This is the 5416 issue - see explanation there.

ammont · 2015-03-26T13:46:06Z

@GrahamCampbell I guess this issue needs to be reopened.

GrahamCampbell · 2015-03-26T13:47:59Z

@ammont Hmmm, maybe. We've got no idea what is going on here.

faisal975232 · 2024-10-22T06:35:51Z

is this issue solved .. I have this issue .. do not know how to overcome .. need help ..

after loggin in .. i am getting unauthorized on first ajax request.

GrahamCampbell added the bug label Dec 26, 2014

GrahamCampbell added the medium priority label Dec 29, 2014

GrahamCampbell closed this as completed Jan 30, 2015

ammont mentioned this issue Mar 26, 2015

Race condition on session engine causing unexpected behavior on concurrent requests #5416

Closed

GrahamCampbell mentioned this issue Mar 26, 2015

[5.0] Session Persistance Issues #8172

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[4.2] CSRF Token is regenerated on high request frequency #6777

[4.2] CSRF Token is regenerated on high request frequency #6777

esbenp commented Dec 22, 2014

barryvdh commented Dec 23, 2014

esbenp commented Dec 23, 2014

esbenp commented Dec 24, 2014

bonzai commented Dec 25, 2014

GrahamCampbell commented Dec 26, 2014

barryvdh commented Dec 26, 2014

henrikromby commented Dec 28, 2014

barryvdh commented Dec 30, 2014

avi123 commented Dec 30, 2014

ammont commented Mar 26, 2015

GrahamCampbell commented Mar 26, 2015

faisal975232 commented Oct 22, 2024 •

edited

Loading

[4.2] CSRF Token is regenerated on high request frequency #6777

[4.2] CSRF Token is regenerated on high request frequency #6777

Comments

esbenp commented Dec 22, 2014

barryvdh commented Dec 23, 2014

esbenp commented Dec 23, 2014

esbenp commented Dec 24, 2014

bonzai commented Dec 25, 2014

GrahamCampbell commented Dec 26, 2014

barryvdh commented Dec 26, 2014

henrikromby commented Dec 28, 2014

barryvdh commented Dec 30, 2014

avi123 commented Dec 30, 2014

ammont commented Mar 26, 2015

GrahamCampbell commented Mar 26, 2015

faisal975232 commented Oct 22, 2024 • edited Loading

faisal975232 commented Oct 22, 2024 •

edited

Loading