Sorry, your session has expired. Please refresh and try again. 5.7

It looks like you have done the basic troubleshooting steps and the upgrade guide has nothing specific.

https://laravel.com/docs/5.7/upgrad

If you spin up a new 5.7 application and migrate your code does it work?

Yeah, I've tried that too, new 5.7 doesn't work either.

Try setting protected static $serialize = true; in your App\Http\Middleware\EncryptCookies middleware.

https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30

@CRONIX -

ErrorException (E_NOTICE) unserialize(): Error at offset 0 of 40 bytes

Edit: Cleared cookies, still expired session issue.

@JACOBS - It's really odd if your seeing this with a new app. What other features are you using like queues, etc... if you change these to file based do things work?

What's your environment like? Windows? Mac with Valet?

Don't think I have any special features that could affect that. Running on Ubuntu 18.04 with apache2 & mysql db

Funny thing is that when I disable VerifyCsrfToken middleware, I can't login either. There's no error message, nothing. I just don't get logged in. I can register, but I won't get logged in either.

Can you check apache logs and see if there's any clue in there.

To add,

    public function login(Request $request)
    {
        $this->validateLogin($request);

        // If the class is using the ThrottlesLogins trait, we can automatically throttle
        // the login attempts for this application. We'll key this by the username and
        // the IP address of the client making these requests into this application.
        if ($this->hasTooManyLoginAttempts($request)) {
            $this->fireLockoutEvent($request);

            return $this->sendLockoutResponse($request);
        }

        if ($this->attemptLogin($request)) {
            return $this->sendLoginResponse($request);
        }

        // If the login attempt was unsuccessful we will increment the number of attempts
        // to login and redirect the user back to the login form. Of course, when this
        // user surpasses their maximum number of attempts they will get locked out.
        $this->incrementLoginAttempts($request);

        return $this->sendFailedLoginResponse($request);
    }

This doesn't get to sending failed login response, as ->attemptLogin($request) is successful.. yet user doesn't log in.. what the hell?

@ZION - error.log doesn't have anything popping up unfortunately

access.log as usual, nothing surprising

::1 - - [27/Dec/2018:14:42:21 +0100] "POST /login HTTP/1.1" 302 972 "http://thanatos.localhost/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"

Are there any files in storage/framework/sessions? Maybe a permission issue on that folder?

@REALRANDYALLEN - Surprised as well, there are no files in there, though permissions are set, (as I've noted in the first post), using 777 doesn't help either.

Edit: drwxrwxrwx 2 www-data www-data 4096 dec 27 14:07 sessions

@JACOBS - What's config.session.files set to?

Probably the default, storage_path('framework/sessions'), but covering all bases

Indeed default, 'files' => storage_path('framework/sessions'),

Okay.. I just found out the issue.

I had an ExtendedStartSession class which I've used to not count a certain route as previous.

Seems like something has changed during the upgrade and it broke, I'll investigate what broke and rewrite the code properly.

CSRF verification now works aswell, but I greatly appreciate your suggestions @realrandyallen as that reminded me that I've messed with that middleware a while ago.

Thus.. solved :)

@JACOBS - Glad you got it fixed :) That one was quite mysterious