Laravel 4.2 generates new CSRF token depending of requests frequecy?

Question

I've encountered strange behavior of CSRF token in Laravel 4.2. - token was changing between requests (not always, but randomly).

First thought was that I had problems with garbage collection or there was some bug in Laravel. And even more - this happens only on remote server and locally everything is OK. However, server settings and session config is the same.

Garbage collection in php.ini is turned off. The only GC that works is the one started by cron every 30 minutes, however, that also does not relate to this problem - I've checked.

1) If I send ajax requests not frequently (e.g. one time every second) - it works during hours without problems.

2) When I send ajax requests very often during small period of time (20 times during 3-5 seconds) - the token is changed after 15-th or 20-th request. Sometimes even on the 10-th.

Is there some hidden functionality (I did not found that, however) that changes token if it looks like 'dangerous' requests, checking frequency?

Answer 1

I believe that this is because the Laravel file session driver does not provide locking. I would suggest switching to the database session driver in app\config\session.php and see if you get the expected result.

Here are the relevant docs: http://laravel.com/docs/4.2/session#session-drivers