Avoiding CSRF expiry.

[Synchro]

CSRF expiry causes me to lose data almost every day I use Nova. I've been logged in for a while, I can click around, view any number of resources, load multiple forms (which in a regular site would generate new CSRF tokens, so there's an innate expectation that it will work), click away from them, but when I eventually fill in a form and submit it, it's rejected because the CSRF token has expired, possibly many hours and dozens of clicks ago. I can "fix" it by reloading the page, but this loses data. I don't know of any other site that does this; it's really painful and actively unhelpful. There are options available:

1. Make the CSRF expiry the same as the session expiry – so if I'm still logged in, I can still submit. Not great for security, and presumably the reason why this expiry mismatch exists.
2. Refresh the CSRF token if it's expired when a form is loaded. That's a tiny performance hit, but mitigating data loss trumps performance, every time.
3. Display a warning if the CSRF token has expired at the top of every form.

I don't understand the reluctance to fix this in Nova. I don't see how it can be regarded as anything other than a catastrophic UX failing. Nova is amazing, but "surprise data loss" should not be considered a feature worth preserving.

[saschaende]

Same issue here

[niekdemelker]

Late to the party here, but CSRF is managed by the framework, and not by nova. You could change behavior so it ignores nova links i guess. See docs: https://laravel.com/docs/11.x/csrf#csrf-excluding-uris

[supgeek-rod]

CSRF expired? Maybe it has something to do with session lifetime or cache?