Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Rjs37's avatar

TokenMismatchException - Laravel 5 Session Conflict

I'm currently testing the Laravel 5 upgrade (and a switch to using Redis for session management) on a dev site but I'm experiencing a strange session conflict when switching between my live and development websites. The live website is still running on Laravel 4.1.

If I only use our dev website, everything works fine. As soon as I visit our live website, any form submissions on the dev site result in a token mismatch. The live site still works fine.

I've tried switching back to using the database for sessions and the issue is still there so it seems to be an issue introduced during the Laravel 5 upgrade.

As I've got a frontend and backend (on an admin subdomain) for both the dev and live sites, the cookie domain I use is in the form: .domain.com and .dev.domain.com that's so both domain.com + admin.domain.com or dev.domain.com + admin.dev.domain.com will work respectively.

If I delete the cookie that the live site generates, then the dev site starts working again. It's almost like it's picking up the wrong cookie even though it's not from the correct cookie domain.

Both sites share the same session name. Could that be an issue? I guess I could create a new environment variable to set that differently.

Any suggestions on where I need to start looking? My current line of thought is that I may need to override how Laravel is handling sessions. If it's the subdomain causing the issue.

0 likes
4 replies
Rjs37's avatar
Rjs37
OP
10 years ago
Best Answer
Level 2

Turned out to be the matching session name that was causing the problem. The dev/testing site was picking up the live site's session before its own and as the name matched it tried using that one. Not sure why I'm only just experiencing this behaviour but I'll just keep in mind from now on, that my live and dev sites need to have different session names.

ibrahimdolas's avatar

@Rjs37 I know it's been 6 years and you should have figure it out already, but I couldn't find any solutions yet. Can you tell me how to configure session names? I have live production which should be unreachable outside. It's an SaaS for doctors, there's patient data inside. So, it had to be unreachable. Still, I had to have a demo version with dummy data to show new clients (doctors) what my project looks like. So I cloned my project with dummy data at demo.domain.com. Now, I have the same conflict. Any suggestions?

EDIT: I wrote a different SESSION_COOKIE name in config/session.php but it still doesn't seem to work.

hemantadsl's avatar

Hi, I just update my framework to L5.2.31 and after that there always token mismatch error every time on login, I have already all threads related to this and i did

  • in login page
  • proper form open with {{ csrf_field() }}
  • in / out my Route::auth() from web middleware.
  • change RouteServiceProvider for applying web route default
  • illuminate/Foundation/http/midlewar/VerifyCsrfToken: check in this file what i got that session token and request are not same in tokensMatch function. i just lost my all hope , Please help. Thanks.
sebastiangperez's avatar

I got the same issue . I think the issue is from using subdomains , this sucks.

Please or to participate in this conversation.