csrf-removal-checklist.md

CSRF Removal and Session-Based Authentication Implementation Checklist

Initial Setup

• Create this checklist file

1. Modify bootstrap/app.php

• Remove the AddXsrfTokenMiddleware from the web middleware group

2. Disable CSRF Service Provider

• Update bootstrap/providers.php to comment out the CsrfServiceProvider

3. Create a Custom Session Middleware

• Create a new SessionAuthMiddleware that validates the session ID against the database
• Register the new middleware in bootstrap/app.php

4. Update Frontend Code

• Modify resources/js/bootstrap.js to remove CSRF token handling
• Update the axios interceptors to handle authentication without CSRF tokens

5. Update Login Flow

• Ensure the login process properly creates and stores session information
• Modify the AuthenticatedSessionController if needed

6. Clean Up Unused Middleware

• Remove or disable the BypassCsrfMiddleware
• Remove or disable the DisableCsrfForAllRoutes middleware
• Update the VerifyCsrfToken middleware

7. Testing

• Create test script for login, authenticated routes, and logout
• Verify that login works correctly (manual testing required)
• Verify that authenticated routes work correctly (manual testing required)
• Verify that logout works correctly (manual testing required)

8. Final Cleanup

• Remove any remaining CSRF-related code
• Update documentation if necessary