I have a Laravel app that is getting a reasonable amount of traffic.
To more gracefully handle exceptions of the TokenMismatchException type (which tend to get thrown when the session lifetime expires and then a user submits a form), I have altered the render() method of the exception handler, as follows:
/**
* Render an exception into an HTTP response.
*
* @param \Illuminate\Http\Request $request
* @param \Exception $e
* @return \Illuminate\Http\Response
*/
public function render($request, Exception $e)
{
if ($e instanceof \Illuminate\Session\TokenMismatchException){
return redirect($request->fullUrl())->with('error',"Sorry your session has expired please resubmit your request.");
}
return parent::render($request, $e);
}
This is working fine for normal requests, and instead of throwing the exception, it sets a session flash message and redirects back to the requested page. However, I'm noticing lots of these exceptions still being thrown for the following request:
/autodiscover/autodiscover.xml
I'm aware the above is something to do with Exchange, so it's probably not malicious.
What I'm confused about is a) why is this unrouted url triggering Laravel's CSRF protection and b) why is my updated handler not catching the exception?
I've tried adding a route for this url, and manually throwing a 404, but this hasn't helped.
What can I do to prevent these exceptions being thrown?
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire