Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

jabba-the-hoot's avatar

HTTP 419 form response w/SESSION_DRIVER=database

My login form was working fine when hosted on an EC2 using SESSION_DRIVER=file. I've deployed that same app to Laravel Vapor and made some necessary changes, including SESSION_DRIVER=database and now in my production environment when trying to log in w/a blade form I always get an HTTP 419. Could someone help me figure out the cause of this?

The login form does have the @csrf token included

  <form method="POST" action="{{ route('admin-login') }}">
          @csrf 
            <div class="form-group row">
....

One of the changes I made before this happened was I had to change my SESSION_DRIVER to database instead of file because Laravel Vapor runs on a Lambda and not a persisted disk

SESSION_DRIVER=database

Whenever I submit the login form I get this response

419 Page Expired

Any help is appreciated, thanks!

UPDATE 1

I've found that this is happening inside the VerifyCsrfToken class tokensMatch() method, the code in Laravel is here

  • $request->input("_token") is set correctly as the token in the HTML form (from @csrf in the blade template)
  • $request->session()->token() is set to something else entirely, causing tokensMatch() to be false

Still not sure why request->session()->token() is set when I'm currently not logged in, and how it got set to a wrong token.

UPDATE 2

It seems SESSION_DRIVER=database is causing the issue. Every request gets a new session _token and all rows in the sessions table have user_id set to null. It seems sessions stored in the database aren't persisting for each user. Anyone have a clue why?

0 likes
7 replies
s4muel's avatar

do you have a SESSION_DOMAIN configured?

kreierson's avatar

Wonder if it's a cache issue?

Maybe

php artisan cache:clear
// or
php artisan config:clear

Or, could the form potentially be getting submitted twice when clicking submit?

jabba-the-hoot's avatar

Running php artisan cache:clear gave me this error on our Vapor environment: "Failed to clear cache. Make sure you have the appropriate permissions."

But running php artisan config:clear and php artisan optimize:clear had no effect.

I'm running these via the vapor CLI btw, for example vapor command preprod2 --command="php artisan optimize:clear"

jabba-the-hoot's avatar

I've found that there is a $request->session()->token() that is set, and it doesn't match the request->input('_token') causing VerifyCsrfToken to fail. Not sure where that session token is coming from?

  • $request->input("_token") is set correctly as the token in the HTML form (from @csrf in the blade template)
  • $request->session()->token() is set to something else entirely, causing tokensMatch() to be false
jabba-the-hoot's avatar

It seems that SESSION_DRIVER=database is causing the issue. If I set it back to SESSION_DRIVER=file it works but that won't work when deployed because I'm on AWS Lambda via Vapor.

Every request gets a new session _token and all rows in the sessions table have user_id set to null. It seems sessions stored in the database aren't persisting for each user. Anyone have a clue why?

jabba-the-hoot's avatar
jabba-the-hoot
OP
4 years ago
Best Answer
Level 1

Solution

  1. in session.php I set "same_site" to "lax"
    'same_site' => "lax",
  1. In Kernel.php the StartSession middleware was included in both $middleware and $middlewareGroups for "web". This was causing it to run StartSession twice and overwrite the existing session with a new one for each request. Removing the duplicate in $middlewareGroups "web" fixed it.
  protected $middleware = [
        \App\Http\Middleware\CheckForMaintenanceMode::class,
        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
        \App\Http\Middleware\TrimStrings::class,
        \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
        \App\Http\Middleware\TrustProxies::class,
        \Illuminate\Session\Middleware\StartSession::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \Fruitcake\Cors\HandleCors::class,
    ];

    protected $middlewareGroups = [
        'web' => [
            \App\Http\Middleware\EncryptCookies::class,
            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
            \Illuminate\Session\Middleware\AuthenticateSession::class,
            \App\Http\Middleware\VerifyCsrfToken::class,
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
         ------> these two below were the issue. removing them fixed it <------
            \Illuminate\Session\Middleware\StartSession::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        ],
    ];

Please or to participate in this conversation.