php - How specifically does Laravel build and check a CSRF token? -

i'm using laravel's csrf protection on public site. since laravel uses session maintain this, i'm worried user might walk away computer , return page have left open, find ajax requests don't work. ajax requests don't work because session has timed out (and token no longer validates?). if these users "logged in" users, redirect them login page. since public users, user forced refresh page working (awkward).

or wrong this? csrf token still validated laravel (even after session has timed out, page still send on token...but laravel it?). optimal solution have tokens partially based on timestamp give tokens expiration limits apart session time limits. make csrf tokens last 2 days (so users walk away 2 days return dead page).

ultimately brings me question: where specific code in laravel framework handles this? i'm trying locate it. also, there easy drop in replacement can make, or left create own version of csrf_token(); output pages , need create own route filter go it.

laravel facilitates keeping token stored in session, code yours (to change wish). take @ filters.php should see:

route::filter('csrf', function() {     if (session::token() != input::get('_token'))     {         throw new illuminate\session\tokenmismatchexception;     } }); 

it tells if have route:

route::post('myform', ['before' => 'csrf', 'uses' => 'mycontroller@update']); 

and user session expires, raise exception, can work yourself, keep own token stored wherever think better, , instead of throwing exception, redirect user login page:

route::filter('csrf', function() {     if (mysession::token() != mycsrftoken::get())     {         return redirect::to('login');     } }); 

and, yes, can create own csrf_token(), have load before laravel does. if @ helpers.php file in laravel source code, you`ll see creates function if doesn't exists:

if ( ! function_exists('csrf_token')) {     function csrf_token()     {        ...     } }