I'm creating a web app in Laravel, but CSRF is killing its ajax functionality.
The submission of the token with ajax works fine, using ajaxSetup I can attach the token to every request, so no problem with this part.
But every time the user leaves the browser window for too long (perhaps a couple hours or more) ajax requests start returning error 500 (token mismatch) - perhaps the server updates the token and the client keeps the old one, forcing the user to refresh the page to keep it functional, something I don't want to do.
So I was thinking of creating some sort of ajax timer to get the updated csrf token from the server every once in a while.. but it seems a bit of a hackish solution, and maybe even useless? (if I'm serving the token, someone can request it and still do a csrf attack, right?)
To solve this issue once and for all, I would have to do something more risky, disabling CSRF completely for ajax calls. My question is: Could this really hurt my security that bad? I've seen many people recommending to turn it off, but it seems like a big deal if someone can cross-request sensitive actions on a user account (such as delete account or something like this)
What would you guys recommend? This issue is keeping me awake a night :/
I have only on option in mind for now...
You can start looking at CORS configurations on your application.
Changing Access-Control-Allow-Origin headers for few routes. reference