Level 3
@robjbrain hello, was this been fixed? i'm facing similar issue right now and i don't know where to go from here, iv'e tried different configurations, nothing happen
Sep 24, 2015
1
Level 2
Constant TokenMismatchException Errors
On my local environment everything is working fine.
On the server I setup a beta subdomain so other people can test, but submitting any form seems to be returning a TokenMismatchException. This may be due to being a subdomain and clashing of cookies/sessions but i'm not sure. I've done some debugging and tried to give as much information as I can.
-
This either happens every time or not at all i.e every time I reload the page it will happen, or i'll open different tabs and it will be happening. But lets say i stop for an hour and come back, it won't be happening anymore.
-
This happens both with the file and apc session drivers
-
This is happening on a Laravel 5 app at beta.mydomain.com, mydomain.com is running a Laravel 4 app.
-
The session name on the Laravel 4 app is "laravel_session" the session name on the Laravel 5 app is "susie_session"
-
The domain in both cases is set to null in the session.php config. I have avoided touching this yet as i'm concerned about messing with cookies on the live site. This may well be the issue, although it seems strange that the problem would be intermittent if this was the case.
-
I put in the following debug code in the VerifyCsrfToken Middleware:
if ($this->isReading($request) || $this->shouldPassThrough($request) || $this->tokensMatch($request)) {
return $this->addCookieToResponse($request, $next($request));
}
echo 'This is an attempt to debug the tokenmismatchexception:<br />';
echo 'Request Input: '.$request->input('_token').'<br />';
echo 'X-CSRF-TOKEN: '.$request->header('X-CSRF-TOKEN').'<br />';
echo 'X-XSRF-TOKEN: '.$request->header('X-XSRF-TOKEN').'<br />';
echo 'Session Token: '.$request->session()->token();
if ($header = $request->header('X-XSRF-TOKEN')) {
echo 'Decrypted X-XSRF-TOKEN: '.$this->encrypter->decrypt($header).'<br />';
}
dd('DONE');
Whenever it hits the error, I notice that the input('_token') stays the same (makes sense, this is just the post data) but the session()->token() changes on every single reload, hence why it never matches the postdata.
Can anyone give any further insight into how the token verification works? how is it set and is it meant to stay the same through each pageload? why would it change on every reload? Has anyone encountered similar errors before?
I assume it's something to do with the beta subdomain clashing with the live site but at the moment I can't verify that.
Please or to participate in this conversation.