I have

I am using Ion Auth.

When A user is logged in, walks away and the session expires if they try to submit the form they get “The action you have requested is not allowed.” this error for obvious reasons. but I don’t want to happen till after they user is checked for being logged in.

So how can I make the logged in check fire before thecsrf form protection?

This must be an issue/problem someone has also been faced with?

The csrf is ran very early on so you would have to do some extending or maybe utilize hooks to do processing before that happens.

Any ideas then as to how I’d stop this form happening?

situation:

user is logged in, session expires, they submit form and get the “The action you have requested is not allowed”

I can’t be the only one who would be running into this problem.

Thanks.

Is it possible to turn on csrf protection on a per controller basis?

I’d want it on forms that do not require authentication, but once a user is logged it should not matter as much.

Thats the only solution apart from having a meta refresh set to the session expire time so that there would never be an instance where the user would be logged in and see a form but have an expired session.