Elegant handling of 419 expiry
Does anyone have an elegant solution for handling a 419 expiration in Filament? By default in Laravel, the CSRF token and session expire after two hours, which is extended on every interaction.
If the user leaves a page with no polling open for two hours (default expiry), or closes their browser, or puts the computer to sleep, when they return to the page they'll end up seeing a full page modal containing a 419 Expiry message, along with a JS popup saying the page has expired.
When they click to refresh, even if they're logged in with a "Remember Me" token, they seem to be logged out and directed to the login page.
12 Replies
@awcodes I saw in another topic about this that you've never seen the JS pop-up in Filament, but it even happens in the Filament demo app. Wondering if you have something configured differently that's preventing this.
The pop-up is created by Livewire and there's a request hook to do something else instead (like refresh the page), but I'm wondering if this is the best way in Filament
Even outside of filament I’ve never seen the 419 in a js alert
Wonder if it’s tied to echo or websockets? Really don’t know.
@awcodes I can confirm that I've seen similar to @Tetracyclic says - forgotten to close the browser for Filament demo (or any other Filament apps tbh) and then came back to see that "Page expired", followed up by that JS confirmation dialog.
I don't know the "graceful" solution to this but didn't dig deeper, I just don't see this as a problem, in my opinion it's a normal behavior - page LITERALLY expired for what it was supposed to do two hours ago. That's intended imho.
Yea. I don’t have a problem with it. I just don’t think it’s anything filament specific.
Oh yeah, it's outside of Filament definitely. Digging way deeper, it's how browser/internet work 🙂
To be clear, I expect it to expire for security reasons (although I'm unsure why it's logging the user out - with a remember me token in place, it should log them back in seamlessly on a refresh), it's just that a full page modal and a clunky JS dialog isn't particularly graceful, especially when using Livewire/Filament for a SaaS or end user application, rather than just an admin panel.
I just wasn't sure if there was a better way in Filament to handle this, other than just shoving the Livewire request hook into the page via a Filament render hook and having it refresh the page immediately.
The JS Alert is all Livewire. See here:
https://livewire.laravel.com/docs/javascript#customizing-page-expiration-behavior
Laravel
JavaScript | Laravel
A full-stack framework for Laravel that takes the pain out of building dynamic UIs.
Yeah, I already linked that page above 😄
That's my current solution, I'm just forcing location.reload on the request failure via a Filament hook. I was just wondering if there was a better way in Filament.
It does seem to work pretty smoothly though, and having tested with a 1 minute session lifetime, reloading doesn't seem to log the user out in the same way accepting the JS dialog did (if they have a remember me token set).
Livewire does it pretty similar though:
Yeah, I'm thinking perhaps the times I was logged out during testing were when I was impersonating another user. The mismatch in remember token would explain it.