Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Laravel 5, fresh install, production environment, Linode.
On certain browsers Session Regenerates/Cookie gets emptied on form POST.
Right now about 200 of these submissions happen per day, only about 3 or so per day throw a TokenMismatchException, and always for similar browsers.
What's the magic formula to make the session/cookie persist with these browsers?
3 Example Browser strings that trigger the issue:
FF 36, WIN 7.X - Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
IE 11, WIN 8.1 - Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MAARJS; rv:11.0) like Gecko
CH 41, AND 4.4 - Mozilla/5.0 (Linux; Android 4.4.4; SAMSUNG-SM-G870A Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36
Some preliminary questions...
Do these "similar browsers" always fail, or do you also have occurrences where there is no problem?
Have you looked at the originating ip addresses to see if there's a pattern? Could it be some kind of bot, script or spider, or even browser plugin/malware?
Have you looked at the page request time and submit time? Did the session just time out?
Excuse me but I probably won't reply again right away, gotta hit the sheets, but good luck.
@jhauraw funny that you mention the DNT. I was thinking along those lines, however more to do with browser plugins with security conscious users.
Perhaps along with DNT they have other measures in place to remain anonymous?
Does your site appeal to those sorts of people?
If it's failing, it's to do with cookies and it regenerating the session on POST?
I have DNT on and I've had no issues. I also use CSRF in other frameworks and it's perfectly fine. Have you done testing for timeout issues or if the session is regenerating from cookies not saving?
Yup, DNT in general does nothing on it's own, but users who would purposely use DNT may also be super sensitive to sharing any data whatsoever - therefore employing other techniques like disabling cookies entirely.
Some ad blocker plugins and the like can also be over zealous in the tactics that they employ, causing similar issues.
Give them a nice message saying your security token is invalid, please refresh this page to continue. You can try and mess around with cache, there's a few topics on the back button cache stuff.
Looks like it is a bug in laravel/framework: https://github.com/laravel/framework/issues/8172
Can't say it's a bug in the framework when they can't reproduce it. It could well be a bug within the framework but the actual cause could be something else.
@bashy it's labelled as a bug on Github by the maintainers. But, I hear ya, this one could be caused any number of external issues, and may not have anything to do with L5 core code.
Please or to participate in this conversation.