CSRF and expired session

Hello everyone,

I started using zend-expressive-csrf to protect my login page against CSRF following the documentation (CSRF Guards and CSRF Guard Middleware).

It works (of course) really great except when the session expires between the load of the page and the submit of the form. For example, if a user opens the login page in a tab but don’t login and comes back some time later (when the session expired), the login “process” will fail.

What would be the best way to take care of that situation ?
(increasing the time before session times out is, of course, not really a solution)

Thanks a lot ! :slight_smile:

Hello jbelien

I would say, everything works as expected. An expiring token is a feature.

This token expires after first submission or after a short amount of time, preventing replays or further submissions.

See https://docs.zendframework.com/zend-expressive-csrf/intro/.

The user can always reload the page to get a new valid token. Not sure, if zend-expressive-csrf allows to configure how long a token is valid.

1 Like

Yes, it indeed works as expected ! :slight_smile:

I wasn’t really clear enough but I was wondering what would be a best practice (not a fix).

I don’t know if there is a best practice. What I would do is represent the form again and display a message that the token expired and ask the user to submit the form again.

3 Likes

Yeah, that seems indeed the most logical and that’s what I did.
I guess I’m “far-fetching” this … :laughing:

Thanks for your feedback !