Later versions of Laravel (correctly) use POST to exit the session. The reason for this is that GET / HEAD should only be used so that passive actions comply with HTTP requirements.
POST with csrf token also protects malicious users / sites from logging in from your sessions: https://security.stackexchange.com/questions/62769/must-login-and-logout-action-have-csrf-protection
However , if the session is already disconnected, and the user presses the logout button (which launches POST on the logout route), an token mismatch error is received. It makes sense - the token does not match because the session has expired.
I can just catch this particular TokenMismatchException based on the request variables, and if so, continue them in your own way (up to the redirected path, say "home" or "/"). Like this:
public function render($request, Exception $e) { if ($e instanceof TokenMismatchException && $request->getRequestUri() === '/logout') { return redirect('/'); } return parent::render($request, $e); }
My question is : if I do this above, what is the marker point in the first place? And how do you exit the system because their session has expired while preserving the expected results of using the POST output with the CSRF token?
Chris source share