3

I have a project where I implemented Sanctum to be used as authentication for api calls. This is the way I use it

axios.get('/sanctum/csrf-cookie').then(response => {
   axios.post('/api/login', {data: data})
   .then(response => {
     ...
   })
   .catch(error => {
     ...
   });
});

When I run this as a standalone page, everything works fine. But once I try to use the same url with the same data in an iframe within another project, I get a CSRF token mismatch. error. Any guidance would be much appreciated.

Improve this question
2
  • Duplicate of stackoverflow.com/questions/33946295/… Commented Jan 5, 2022 at 15:52
  • @SamuelFerdary yes, I saw that one but I'm concerned as to what security threats the provided solution opens? Also, it is not a submission between different domains, everything is happening on the same site/domain. Commented Jan 6, 2022 at 6:49

2 Answers 2

Reset to default
4

iframe usage and security is use case dependent.

Security wise:

If you care about security, don't use iframes.

See:

StackExchange: What are the security implications of having login dialog inside of an iframe

Disable CSRF on specified endpoints:

If you have specific routes that don't need CSRF protection than you can make an exception for these routes in Http/Middleware/VerifyCsrfToken.php

See:

StackOverflow: Laravel 5 TokenMismatchException only in iFrame

Go all in on iframe support:

You can edit the session settings in config/session.php

See:

StackOverflow: Laravel 5.1 CSRF in iframe, how to make it work?

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

That page within iframe is not used for traditional user login. User actually logs in in the host application and then passes a token to the iframe by which user is identified on the application within iframe. I don't really want to disable csrf check. Playing around with session config might be a step to the right direction
3

Go into config/session.php, and change this:

'secure' => env('SESSION_SECURE_COOKIE', true)

'same_site' => 'none',

Also, check your .env file for the value set for SESSION_SECURE_COOKIE, if it is set to false in the .env file then change it to true.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.