How to prefix XSRF-TOKEN cookie ? | Laravel | Page 1

peak ember Mar 25, 2024, 3:14 PM

#

Hey guys,

Do you know how can I prefix the XSRF-TOKEN ?
Because I have some applications that share the sessions, but across the same sub-domain.

AppA are on the domain .mydomain.com
AppB and C are on a sub-domain .sub.mydomain.com

And there is a conflict with the XSRF-TOKEN that result to a 419 page expired, that's why I need to prefix it.

tall sierra Mar 25, 2024, 3:30 PM

#

You'd need to overwrite the middleware, since the cookie name is hardcoded; https://github.com/laravel/framework/blob/11.x/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php#L205

peak ember Mar 25, 2024, 3:33 PM

#

Yep, I've already try to override it on line 206 and 226, but it's still try to get the cookie from XSRF-TOKEN I guess, because I'm getting a 419 on all pages @tall sierra

    protected function newCookie($request, $config)
    {
        return new Cookie(
            'prefix-XSRF-TOKEN',
            $request->session()->token(),
            $this->availableAt(60 * $config['lifetime']),
            $config['path'],
            $config['domain'],
            $config['secure'],
            false,
            false,
            $config['same_site'] ?? null,
            $config['partitioned'] ?? false
        );
    }

    public static function serialized()
    {
        return EncryptCookies::serialized('prefix-XSRF-TOKEN');
    }

tall sierra Mar 25, 2024, 3:34 PM

#

You'd still need to set the header tho. If you're using Axios that would mean you'd need to attach the header yourself.

peak ember Mar 25, 2024, 3:34 PM

#

Oh you think it's beause i didn't attach it with axios ? Okok

And anotehr question, do you think there is a better way to "fix" this issue I'm getting with different domain/subdomain ?

#

(btw, for info, I'm using InertiaJS)

tall sierra Mar 25, 2024, 3:36 PM

#

I guess by not setting the cookie on subdomains, so they wouldn't collide

peak ember Mar 25, 2024, 3:37 PM

#

So you mean, having no cookie ? But how you handle the CSRF protection ?

#

Because the user can be connected on both application in the same time, App A (main domain) and App B (sub domain)

tall sierra Mar 25, 2024, 3:39 PM

#

So you mean, having no cookie ?
No, by not using .domain.com for the cookies, but instead using domain.com, then the cookie wouldn't be a wildcard cookie for every subdomain.

#

Not saying that's the solution you should take, it's a solution you could take.

peak ember Mar 25, 2024, 3:40 PM

#

The problem is that we are using sub-domains application.

Each application has:

bx.mydomain.com
dashboard.mydomain.com
api.mydomain.com

And that's same for all app, so:

bx.sub.mydomain.com
dashboard.sub.mydomain.com
api.sub.mydomain.com

#

That's why we add the wildcard, to share the cookie between the 3 subdomains of each application. @tall sierra

#How to prefix XSRF-TOKEN cookie ?