Laravel 4 - CSRF token never changes

Question

I am creating forms, and it does not matter how I do it, the CSRF _token is always the same!

It doesnt matter if I use

{{ Form::open([route' => 'login']) ]]

or if I use

{{ Form::token() }}

It is the same one every single time. Even after I make a successful Form submission. I figured it would get consumed and a new one would be generated, but no!

Did I miss a configuration step?

Note: I know that if the laravel_session gets regenerated, the _token is different, but as I had understand, the CRSF token was also the mechanism to avoid multiple form submissions , so it should change on every refresh of page, or at least after is consumed after one successful post submission, no?

Answer 1

It is not necessary to refresh the CSRF token for every request, generating the token per session will also be safe. Have a look at the Owasp cheat sheet for a better explanation.

Regenerating the token for every request can be done, but can result in usability issues. I think this is the reason why Laravel implements the token per session approach.

Answer 2

From the code, the only relevant occurrences of _token or regenerateToken are in the Illuminate/Session/Store, lines 89, 551 and 571. The occurences being:

public function start()
{
    $this->loadSession();

    if ( ! $this->has('_token')) $this->regenerateToken();

    return $this->started = true;
}

public function token()
{
    return $this->get('_token');
}

public function regenerateToken()
{
    $this->put('_token', str_random(40));
}

This means, that token gets only regenerated, when not present in Sessions. You have to regenerate it yourself if you want, with i.e. Session::forget('_token');