Set logout route in laravel 5.5

Published 10 months ago by JokersMild85

Not sure what I did but when I logout of my session it redirects to a weird timeout due inactivity page on my site. Does anyone know where I can set my route on logout?

mushood

If you check your sessions.php file in your config folder, you can see a property called lifetime which is by default 120 minutes. That means that the CSRF tokens for all forms will expire due to inactivity after that time.

Solution 1: Increase the lifetime of your CSRF token.

Now if you go in your app/http/middleware, you will find your VerifyCsrfToken.php and in it you will have your $except array.

Solution 2: You can add the logout URL to this array to diasble CSRF token verification for your logout route

Hope this helps

ahmeddabak

the log out route in Laravel is a post route, this means it needs to be called using a form, and Laravel protects all forms from attacks using the CSRF Token.

check your code where you have the code for the logout link, if you use the default code shipped with alravel it should look like this.

<a class="nav-link text-success btn btn-outline-success" href="{{ route('logout') }}"
   onclick="event.preventDefault();                                                 document.getElementById('logout-form').submit();">
    Logout
</a>

<form id="logout-form" action="{{ route('logout') }}" method="POST" style="display: one;">
    {{ csrf_field() }}
</form>

most likely you have removed the {{ csrf_field() }} from the logout form.

JokersMild85

Neither of these solutions resolve the problem. I receive the timeout page if I logout of my session immediately after logging in.

I did not delete the {{ csrf_field() }} from the logout form.

The only thing I did that I think began this problem was changing the redirect on login from the default Home page to a different page.

Corban

Can we see your code?

There's no real need of POST, you can also use get and just call /logout

Anyway something like this should work if you are using laravel 5.5

YourViewName.blade.php

//some code here...

<form class="" action="index.html" method="post">
  {{ csrf_field() }}
  <button type="submit" name="logout">Logout</button>
</form>

//maybe more code here

your web file

//other routes here
Route::post('/logout', '[email protected]');

your sessionscontroller

public function Logout(){
    auth()->logout();

    session()->flash('message', 'Some goodbye message');

    return redirect('/login');
  }
Snapey
Snapey
10 months ago (998,255 XP)

using Post is a security enhancement to prevent being logged out by XSS vulnerability. Disabling csrf for this form is not advised.

Best solution is to change logout to a link that returns a dedicated view that contains the logout form with a message like 'you will now be logged out' and a confirm button.

It's an extra click for the user but means that they never see a timeout

As for this issue, if the csrf token is being passed with the form but it is still invalid then maybe there is a problem persisting session. Make sure cookies are not blocked in the browser and use network tools in the browser to see what is being posted.

Please sign in or create an account to participate in this conversation.