Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

brendonaohanlon@gmail.com's avatar

CSRF Token is empty - not answered

I'm trying to do a login form but keep getting a token mismatch error. When I look at the form HTML, the '_token' field is empy. I've got my routes in the web middleware like so:


Route::group(['middleware' => 'web'], function () {
    
    Route::auth();
    // Authentication routes...
    Route::get('auth/login', 'Auth\AuthController@getLogin');
    Route::post('auth/login', 'Auth\AuthController@postLogin');
    Route::get('auth/logout', 'Auth\AuthController@getLogout');
    
    // Registration routes...
    Route::get('auth/register', 'Auth\AuthController@getRegister');
    Route::post('auth/register', 'Auth\AuthController@postRegister');

    Route::get('/home', 'HomeController@index');
});

but the _token field remains empty. What am I doing wrong?

0 likes
11 replies
petrit's avatar

Is there appearing any error like "TokenMismatchException"? Make sure the csrf field is somewhere between form tags. Or, it could be better if you share more

brendonaohanlon@gmail.com's avatar

My view (in part) looks like this:


                    <form method="post" action="{{ url('/login') }}">
                        <?php echo Form::token(); ?>
                        <input type="text" name="email" placeholder="email"/>
                        <input type="password" name="password" placeholder="password"/>
                        <input type="submit" value="Go"/>
                    </form>

It is showing the tag like this

<input type="hidden" name="_token">

but has no value. There is also a meta tag with no value using this:

        <meta name="csrf_token" content="{!! csrf_token() !!}">

but the field is empty

zachleigh's avatar

You need to actually put the token in your view. Try this:

                    <form method="post" action="{{ url('/login') }}">
                        {{ csrf_field() }
                        <input type="text" name="email" placeholder="email"/>
                        <input type="password" name="password" placeholder="password"/>
                        <input type="submit" value="Go"/>
                    </form>
Jaytee's avatar

Like I said in your previous thread or what @zachleigh said.

You can either use

csrf_field()

OR:

<input type="hidden" name="_token" value="{{ csrf_token() }}">

csrf_field() will generate the whole hidden input.

brendonaohanlon@gmail.com's avatar
[email protected]
OP
10 years ago
Best Answer
Level 1

I still end up with this:

<input type="hidden" value="" name="_token">

There is no token being generated/displayed (empty value)

Mo7sin's avatar

Also you can remove all Authentication and Registration routes since you have Route::auth() in place

Route::group(['middleware' => 'web'], function () {
    
    Route::auth();

    Route::get('/home', 'HomeController@index');
});
brendonaohanlon@gmail.com's avatar

I clicked the wrong button. This is not yet answered. The token field is showing up as empty using any method above. I have token field being included in two forms, but in both forms the value of the field is empty. I've tried using the methods already shown.

Snaver's avatar

For people still facing this issue, ultimately it's because the 'web' middleware isn't in use for the route you're viewing/using.

1 like
oofnivek's avatar

I had similar issue, and I found out what went wrong with mine. I had

session()->flush();

at the beginning of my function in controller while trying to forget a session key.

1 like

Please or to participate in this conversation.