Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Any ideas why Csrf token mismatch will not display error messages? I know it works as I'm using the exact same code and key for form validation
I've also tried cleaning out view cache in storage.
It is redirecting fine, but not with the error messages. Not even showing up in MessageBag.
class Handler extends ExceptionHandler {
/**
* A list of the exception types that should not be reported.
*
* @var array
*/
protected $dontReport = [
'Symfony\Component\HttpKernel\Exception\HttpException'
];
/**
* Report or log an exception.
*
* This is a great spot to send exceptions to Sentry, Bugsnag, etc.
*
* @param \Exception $e
* @return void
*/
public function report(Exception $e)
{
return parent::report($e);
}
/**
* Render an exception into an HTTP response.
*
* @param \Illuminate\Http\Request $request
* @param \Exception $e
* @return \Illuminate\Http\Response
*/
public function render($request, Exception $e)
{
if ($e instanceof TokenMismatchException)
{
return redirect()->back()->withErrors([
'email' => 'You have been logged out the system due to inactivity.'
]);
}
return parent::render($request, $e);
}
}
class VerifyCsrfToken extends BaseVerifier {
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$response = $this->prepareResponse($request, $next($request));
if ($this->isReading($request) || $this->tokensMatch($request))
{
return $this->addCookieToResponse($request, $response);
}
return parent::handle($request, $next);
}
protected function prepareResponse($request, $response)
{
if ( ! $response instanceof SymfonyResponse)
{
$response = new Response($response);
}
return $response->prepare($request);
}
}
In AuthController
/**
* Get the login form
*
* @return $this
*/
public function getLogin()
{
return response()->view('auth.login');
}
Why do you want to show an error message on csrf token error ?!
I think you are missing the point of csrf protection. Its purpose is to prevent someone to send post data to your server from any other source. Here the guy want to try a csrf attack on your website and you want to show him 'You have been logged out the system due to inactivity.' :D
A 403 response is fine for this.
@pmall @SachinAgarwal lol! ... I had coffee come pouring out my nose when I read your reply pmall. I supse it does make sense not to help hackers, but, I love hackers, I feel it is an untapped market, be kind to them and so I want to do my best to help them with breadcrumbs :) I have other messages like, 'nice try, how about admin password, only 4 characters long no numeric' ... lol
The issue I'm running into is as follows:
So what I'm doing is catching the exception and redirecting to login. I suppose the question is this the right approach or is there a better practice.
As always thanks guys.
I dont thik you can do anything about this. And I don't think you should care.
Or maybe regenerate the token with some js hacking when user click the login button something like that. But I swear you are the only one who through about this use case :D
@pmall pmall I'm your special needs kid. Think of me as your pet project that will be the cause of your drinking problem :)
Please or to participate in this conversation.