forms - Laravel 5 Auth Post Submit - TokenMismatchException in VerifyCsrfToken.php line 46

Question

Have just statred a new app in Laravel 5 and I am having some trouble using the out of the box auth...

I keep getting : TokenMismatchException in VerifyCsrfToken.php line 46: on submitting the login or signup forms...

I can see on the login form page the token codes that are in the hidden form field and Session at that point are the same...

As a test I have also tried as some other posts suggested commenting out //'AppHttpMiddlewareVerifyCsrfToken', in app/Http/kernal.php to see what would happen. After doing this every time I submit a form I get a message which says redirecting to: /auth/login or /auth/register depending on where I came from with no success.

The weird thing was this was working when I first installed the framework. All I have done since then is run a few migrations and setup some of my models and controllers and seeded the db with some user data.

UPDATE:

Looking into this further in the function tokensMatch() on line 55 of VerifyCsrfToken.php if I :

var_dump($request->session()->token());

var_dump($request->input('_token'));

I can see the two tokens are different but at the form using:

var_dump(Session::all());

{{{ csrf_token() }}}

They are the same. The Session token has changed some how before it gets to the function tokensMatch() on line 55 of VerifyCsrfToken.php

My stack trace is as follows:

in VerifyCsrfToken.php line 46
at VerifyCsrfToken->handle(object(Request), object(Closure)) in VerifyCsrfToken.php line 17
at VerifyCsrfToken->handle(object(Request), object(Closure)) in Pipeline.php line 125
at Pipeline->IlluminatePipeline{closure}(object(Request)) in ShareErrorsFromSession.php line 55
at ShareErrorsFromSession->handle(object(Request), object(Closure)) in Pipeline.php line 125
at Pipeline->IlluminatePipeline{closure}(object(Request)) in StartSession.php line 61
at StartSession->handle(object(Request), object(Closure)) in Pipeline.php line 125
at Pipeline->IlluminatePipeline{closure}(object(Request)) in AddQueuedCookiesToResponse.php line 36
at AddQueuedCookiesToResponse->handle(object(Request), object(Closure)) in Pipeline.php line 125
at Pipeline->IlluminatePipeline{closure}(object(Request)) in EncryptCookies.php line 40
at EncryptCookies->handle(object(Request), object(Closure)) in Pipeline.php line 125
at Pipeline->IlluminatePipeline{closure}(object(Request)) in CheckForMaintenanceMode.php line 42
at CheckForMaintenanceMode->handle(object(Request), object(Closure)) in Pipeline.php line 125
at Pipeline->IlluminatePipeline{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 101
at Pipeline->then(object(Closure)) in Kernel.php line 111
at Kernel->sendRequestThroughRouter(object(Request)) in Kernel.php line 84
at Kernel->handle(object(Request)) in index.php line 53

Answer 1

I first just got it working removing the line:

'IlluminateFoundationHttpMiddlewareVerifyCsrfToken'

from /app/Http/Resquests/Kernel.php. However, this means the CSRF token check will be removed, which implies that your website will not be protected from cross-site request forgeries.

Update According to the documentation, you should add the CSRF token to your form by adding this snippet to your code:

<input type="hidden" name="_token" value="{{ csrf_token() }}">

I used first way in backend services for mobile application but I find I can send send CSRF header within requests.