Laravel 5 Auth Post Submit - TokenMismatchException in VerifyCsrfToken.php line 46

Question

Have just statred a new app in Laravel 5 and I am having some trouble using the out of the box auth...

I keep getting : TokenMismatchException in VerifyCsrfToken.php line 46: on submitting the login or signup forms...

I can see on the login form page the token codes that are in the hidden form field and Session at that point are the same...

As a test I have also tried as some other posts suggested commenting out //'App\Http\Middleware\VerifyCsrfToken', in app/Http/kernal.php to see what would happen. After doing this every time I submit a form I get a message which says redirecting to: /auth/login or /auth/register depending on where I came from with no success.

The weird thing was this was working when I first installed the framework. All I have done since then is run a few migrations and setup some of my models and controllers and seeded the db with some user data.

UPDATE:

Looking into this further in the function tokensMatch() on line 55 of VerifyCsrfToken.php if I :

var_dump($request->session()->token());  var_dump($request->input('_token')); 

I can see the two tokens are different but at the form using:

var_dump(Session::all());  {{{ csrf_token() }}} 

They are the same. The Session token has changed some how before it gets to the function tokensMatch() on line 55 of VerifyCsrfToken.php

My stack trace is as follows:

in VerifyCsrfToken.php line 46 at VerifyCsrfToken->handle(object(Request), object(Closure)) in VerifyCsrfToken.php line 17 at VerifyCsrfToken->handle(object(Request), object(Closure)) in Pipeline.php line 125 at Pipeline->Illuminate\Pipeline\{closure}(object(Request)) in ShareErrorsFromSession.php line 55 at ShareErrorsFromSession->handle(object(Request), object(Closure)) in Pipeline.php line 125 at Pipeline->Illuminate\Pipeline\{closure}(object(Request)) in StartSession.php line 61 at StartSession->handle(object(Request), object(Closure)) in Pipeline.php line 125 at Pipeline->Illuminate\Pipeline\{closure}(object(Request)) in AddQueuedCookiesToResponse.php line 36 at AddQueuedCookiesToResponse->handle(object(Request), object(Closure)) in Pipeline.php line 125 at Pipeline->Illuminate\Pipeline\{closure}(object(Request)) in EncryptCookies.php line 40 at EncryptCookies->handle(object(Request), object(Closure)) in Pipeline.php line 125 at Pipeline->Illuminate\Pipeline\{closure}(object(Request)) in CheckForMaintenanceMode.php line 42 at CheckForMaintenanceMode->handle(object(Request), object(Closure)) in Pipeline.php line 125 at Pipeline->Illuminate\Pipeline\{closure}(object(Request)) at call_user_func(object(Closure), object(Request)) in Pipeline.php line 101 at Pipeline->then(object(Closure)) in Kernel.php line 111 at Kernel->sendRequestThroughRouter(object(Request)) in Kernel.php line 84 at Kernel->handle(object(Request)) in index.php line 53 

Answer 1

I first just got it working removing the line:

'Illuminate\Foundation\Http\Middleware\VerifyCsrfToken'

from /app/Http/Resquests/Kernel.php. However, this means the CSRF token check will be removed, which implies that your website will not be protected from cross-site request forgeries.

Update According to the documentation, you should add the CSRF token to your form by adding this snippet to your code:

<input type="hidden" name="_token" value="{{ csrf_token() }}"> 

I used first way in backend services for mobile application but I find I can send send CSRF header within requests.