[4.2] CSRF Token is regenerated on high request frequency

[esbenp]

When a high amount of requests (8+) is made to my app with a high frequency (within 5-8 seconds) my CSRF token is regenerated at some point. I cannot seem to find the cause in code nor anywhere debated in documentation. I did however find a similar, unanswered question on SO from September http://stackoverflow.com/questions/25725940/laravel-4-2-generates-new-csrf-token-depending-of-requests-frequecy

I have successfully replicated the issue in this repository https://github.com/esbenp/Laravel-Session-Bug . Beware, the bug is occurring very randomly, meaning on some tries it has successfully executed 50 request with same token whilst on others the token has changed at some point. Sometimes even multiple times.

Below is an excerpt from the demo log showing the X-CSRF-Header, the Session::getToken() value and the session id for 50 requests made within a short period of time (2 seconds).

[2014-12-22 22:19:07] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:07] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:07] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []

[ ... 20 similar results ... ]

[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'Lmj4DlV92FRCIjEyrOEepJvFhPbhvVRlsnHnZAmA',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'Lmj4DlV92FRCIjEyrOEepJvFhPbhvVRlsnHnZAmA',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []

[ ... 2 similar results ... ]

[2014-12-22 22:19:08] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []
[2014-12-22 22:19:09] local.INFO: array (
  'Header token' => 'aNPX2sglxxpxIygU5vwFSqSz3BLlWQGJ3tPszIKP',
  'Laravel token' => 'GTaUr8rHPdmxqOU4pzifswQYAUyADb8NlsvSNCvz',
  'Session ID' => '1be2059c738423eecf458c7fc5881e34cee2f21b',
) [] []

[barryvdh]

What session driver are you using? File? Can you test with other drivers, eg. database?

[esbenp]

Yes, I am currently using file driver. I will test with others later in the day and get back to you with results.

[esbenp]

I tried changing to database driver @barryvdh . This causes duplicate entry problems. I am making 10 AJAX requests, at the same time, to my Laravel application from my app. This caused 5 rows to be made in the sessions table.

4/5 red requests failed due to duplicate entry. The 5th one failed due to TokenMismatch

[bonzai]

I can confirm it too (using Laravel 5 and file driver).

[GrahamCampbell]

Can anyone send a pull to fix this?

[barryvdh]

Does anyone know what is causing this then? Or what the proposed fix is?

Could it have to do with multiple writes/reads to the session? But reading the CSRF token should just read the session, not write it, right? So not sure why it would be lost..

[henrikromby]

I have observed an issue where users would be logged out of my app if they sent too many requests in a short time (using AJAX). Never found the cause, but maybe it could be related to this issue?

[barryvdh]

Probably related to #5416 and similar?

Did this always happen, or just recently? And are you writing to the session on every request?

[avi123]

This is the 5416 issue - see explanation there.

[ammont]

@GrahamCampbell I guess this issue needs to be reopened.

[GrahamCampbell]

@ammont Hmmm, maybe. We've got no idea what is going on here.