Differences
This shows you the differences between two versions of the page.
| Next revision Both sides next revision | |||
|
litespeed_wiki:cache:laravel_esi [2019/04/10 11:59] Lucas Rolff created |
litespeed_wiki:cache:laravel_esi [2019/04/10 14:06] Lisa Clarke Proofreading |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | =====Use LSCache with CSRF Tokens in Laravel===== | + | ======Use LSCache with CSRF Tokens in Laravel====== |
| When you're building a web application that contains forms, it's quite common that you have CSRF tokens to prevent cross-site scripting (XSS). However, if you want to use LSCache within your application, this often breaks form submissions because everyone gets the same CSRF token, unless you've set private cache as the default when enabling LSCache. | When you're building a web application that contains forms, it's quite common that you have CSRF tokens to prevent cross-site scripting (XSS). However, if you want to use LSCache within your application, this often breaks form submissions because everyone gets the same CSRF token, unless you've set private cache as the default when enabling LSCache. | ||
| Line 18: | Line 18: | ||
| The default session timeout in Laravel is 120 minutes (2 hours). By setting a lower max-age on the cache-control for CSRF, we make sure that the ''/csrf'' endpoint gets called every 15 minutes (if the visitor has activity), this will keep the session "alive" and continue to extend the lifetime of the session by 120 minutes after "last activity". | The default session timeout in Laravel is 120 minutes (2 hours). By setting a lower max-age on the cache-control for CSRF, we make sure that the ''/csrf'' endpoint gets called every 15 minutes (if the visitor has activity), this will keep the session "alive" and continue to extend the lifetime of the session by 120 minutes after "last activity". | ||
| - | ===CSRF Tokens in Forms=== | + | =====CSRF Tokens in Forms===== |
| Next, we add an ''ESI_ENABLED=true'' to our .env file, since we'll use this in our views where we need the CSRF token. | Next, we add an ''ESI_ENABLED=true'' to our .env file, since we'll use this in our views where we need the CSRF token. | ||
| Line 42: | Line 42: | ||
| What we do is to check whether ''ESI_ENABLED'' is ''true''. If it is, we generate our token using the esi:include call. If ''ESI_ENABLED'' is set to ''false'', we use the Laravel helper @csrf to generate the CSRF token. | What we do is to check whether ''ESI_ENABLED'' is ''true''. If it is, we generate our token using the esi:include call. If ''ESI_ENABLED'' is set to ''false'', we use the Laravel helper @csrf to generate the CSRF token. | ||
| - | ===CSRF Meta Tag Token=== | + | =====CSRF Meta Tag Token===== |
| Laravel also stores your CSRF token in a meta tag. This is used for JavaScript-driven applications, so we want to make sure the token is available in a meta tag as well. | Laravel also stores your CSRF token in a meta tag. This is used for JavaScript-driven applications, so we want to make sure the token is available in a meta tag as well. | ||
| Line 60: | Line 60: | ||
| We once again simply use our ''ESI_ENABLED'' environment variable to handle the decision whether to use ESI or not. | We once again simply use our ''ESI_ENABLED'' environment variable to handle the decision whether to use ESI or not. | ||
| - | ===CSRF in window.Laravel Implementation=== | + | =====CSRF in window.Laravel Implementation===== |
| Older Laravel applications can also have their CSRF token set in a ''window.Laravel'' variable in JavaScript. This method isn't used anymore, but in case you have an older Laravel application, you can also handle this by doing: | Older Laravel applications can also have their CSRF token set in a ''window.Laravel'' variable in JavaScript. This method isn't used anymore, but in case you have an older Laravel application, you can also handle this by doing: | ||
| Line 72: | Line 72: | ||
| </script> | </script> | ||
| - | ==Remember to enable ESI== | + | =====Remember to Enable ESI===== |
| In your .htaccess file, you can enable ESI for all requests: | In your .htaccess file, you can enable ESI for all requests: | ||