fix: stop stale CSRF token 419s on long-lived mobile tabs#327
Merged
Conversation
Long-lived mobile SPA tabs sent a CSRF token frozen at page load (from the meta tag). Once the 120-minute session rotated its token, every write returned 419 while reads kept working, so the app looked fine until you tried to change something. Read the XSRF-TOKEN cookie Sanctum keeps in sync with the session and send it as X-XSRF-TOKEN, and add a response interceptor that refreshes the CSRF cookie and replays the request once on a 419. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
http-foundation, http-kernel, mailer, mime, polyfill-intl-idn, and routing to 7.4.12/7.4.13. Clears 8 advisories (SSRF, header injection, URL generation bypasses). Patch bumps within the 7.4.x line, no app code changes. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Patch, not minor: this release is a bug fix (mobile CSRF) plus a security dependency bump, no new features. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
<meta name="csrf-token">tag, captured once at page load. When the server session rotated its token, the SPA kept sending the stale one. Phones freeze tabs far longer than desktop, so they bore the brunt.resources/js/services/api.js: read theXSRF-TOKENcookie Sanctum keeps in sync with the session (sent asX-XSRF-TOKEN) instead of the frozen meta tag, plus a response interceptor that refreshes/sanctum/csrf-cookieand replays the request once on a 419.composer auditadvisories. Patch bumps within the 7.4.x line, no app code changes.Test plan
composer auditreports 0 advisories.Checklist
Co-Authored-By: Claude Opus 4.7 noreply@anthropic.com
Session Handoff (auto-updated by /handoff)
Updated: 2026-05-29
Branch: fix/csrf-stale-token-mobile
Last commit: 14b2217 chore: correct version bump to v1.10.1
What was done this session
resources/js/services/api.jsto read theXSRF-TOKENcookie (sent asX-XSRF-TOKEN) and added a 419 response interceptor that refreshes/sanctum/csrf-cookieand replays once.composer auditadvisories that were failing the gate.Quality state
What's next
/merge(squash). It tags v1.10.1 after the squash commit lands on main.Blockers / gotchas
<meta name="csrf-token">tag in app.blade.php was left in place (harmless fallback); remove later if desired.Open questions