419 | Page Expired (CSRF token expired)

[stephenmeehanuk]

Bug description

When I try to login using Chrome, I see a 419 | Page Expired page. If I press back, I'm logged in?

• Clear all cookies and cache in Google Chrome
• Visit /cp/auth/login
• Enter login details, press login
• 419 | Page Expired
• Press refresh, nothing
• Press back, logged in?
• Log out, returns to /cp/auth/login
• Try to login again
• 419 | Page Expired
• Press back, /cp loads

On my staging site (https) I'm using STATAMIC_STATIC_CACHING_STRATEGY=half.
Someone in Discord suggested using SESSION_SECURE_COOKIE=true which I've done.

I've cleared the browser cache, and done a hard reload.

But it keeps on showing a 419 | Page Expired message.

It also happens on local (valet) http site. Not using SESSION_SECURE_COOKIE=truelocally.

How to reproduce

I think the issue is local to my browser, as it's not a problem when using incognito mode or Edge. It's happening in all browsers and in incognito mode in Chrome.

Just wondering why this would be happening?

Logs

No response

Environment

Environment
Application Name: 
Laravel Version: 10.48.10
PHP Version: 8.2.17
Composer Version: 2.7.4
Environment: staging
Debug Mode: OFF
URL: staging.website.com
Maintenance Mode: OFF

Cache
Config: CACHED
Events: NOT CACHED
Routes: CACHED
Views: CACHED

Drivers
Broadcasting: pusher
Cache: redis
Database: mysql
Logs: stack / single
Mail: smtp
Queue: redis
Session: redis

Livewire
Livewire: v3.4.11

Statamic
Addons: 6
Antlers: runtime
Sites: 1
Stache Watcher: Disabled
Static Caching: half
Version: 4.57.2 PRO

Statamic Addons
jacksleight/statamic-bard-mutator: 2.3.0
jonassiewertsen/statamic-jobs: 1.4.0
jonassiewertsen/statamic-live-search: 2.0.1
jonassiewertsen/statamic-livewire: 3.2.0
statamic/collaboration: 0.8.1
teamnovu/statamic-images-missing-alt: 1.0.2

Installation

Fresh statamic/statamic site via CLI

Antlers Parser

Runtime (default)

Additional details

No response

[duncanmcclean]

I've moved this into a discussion since it's likely a configuration issue, rather than a bug in Statamic itself.

Can you try switching the session driver to file? Also, what do you have SESSION_LIFETIME set to in your .env?

[duncanmcclean]

That's so weird. Which browser are you using? Have you tried clearing your browser cache & cookies?

[stephenmeehanuk]

I know? I've cleared browser cache & cookies multiple times. I'll keep an eye on it, try and figure out (if I can) what triggers it. It's odd that sometimes I can press back and I'm logged into the /cp.

[duncanmcclean]

I'm guessing it works fine if you use a completely different browser?

[stephenmeehanuk]

Yup, works fine in: Safari, Chrome (Canary), Edge, Opera

Just Chrome?!

[duncanmcclean]

Very weird - sounds like it could be some kind of Chrome issue (maybe?) but weird that it'd work fine in incognito 🤷‍♂️

[stuartcusackie]

I'm seeing this happen too when using full measure static caching.

I am a blade developer. Could this be a blade thing? I tried moving my csrf tag to the @nocache directive but that didn't solve it.

I also tried doing a replacement with custom javascript, but the page has already expired by the time the script runs.

The only thing that works is to exclude 'livewire/*' in the VerifyCsrfToken Middleware, which I don't like doing.

[aerni]

So you're using Livewire on that page then? There are a couple of PR's trying to make this experience better.
#10306 #10898 #11014.

Make sure you're on the latest Statamic version.

[stuartcusackie]

I am indeed using Livewire on the expired pages.

Those solution look good. It's a tricky problem I see! I'll keep my eye on those. Thank you!