I'm using Laravel 5.5 and the regular provided authentication.
Situation: The user leaves his computer for 2 hours (the default session timeout) and before leaving the office, he clicks on Logout.
Problem: The user gets the following error:
The page has expired due to inactivity. Please refresh and try again.
Refreshing the page has no effect. The same message is displayed again.
With Laravel 5.4, I had the following error:
TokenMismatchException in VerifyCsrfToken.php (line 68)
The link for logout is in the layout app.blade.php and hasn't been changed:
<li>
<a href="{{ route('logout') }}"
onclick="event.preventDefault();
document.getElementById('logout-form').submit();">
<span class="glyphicon glyphicon-off"></span>
Logout
</a>
<form id="logout-form" action="{{ route('logout') }}" method="POST" style="display: none;">
{{ csrf_field() }}
</form>
</li>
Question How can I avoid the csrf validation when user clicks on logout?
I've just added an exception in App\Http\Middleware\VerifyCsrfToken.php
/**
* The URIs that should be excluded from CSRF verification.
*
* @var array
*/
protected $except = [
'logout'
];
Ajay Deepak Kumar and Omisakin Oluwatobi are right. This makes the website vulnerable.