Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

sebastian.virlan's avatar

TokenMismatchException RANDOM via ajax requests only on Chrome Windows

How this can be explained?

  1. Clean install Laravel
  2. Using redis for session and cache
  3. The problem occur only if I start the server on windows and only shows on Chrome.
  4. Using a simple js function for ajax call:

        $.ajaxSetup({
            headers: {
                'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
            },
            data: {
                _token: $('meta[name="csrf-token"]').attr('content')
            }
        });

        for(var i = 0; i < 5; i++){

            getUsers();
        }

        function getUsers() {
            $.ajax({
                url: '/users',
                type: 'POST',
                success: function(data) {
                    console.log(data);
                }
            });
        }
  1. Setting CSRF in meta <meta name="csrf-token" content="{{ csrf_token() }}" />
  2. Returning a JSON with data:
    public function users() {

        $users = User::all();

        return response()->json([
            'users' => $users,
        ]);
    }
  1. At the final of the video you can see RANDOM TokenMismatchException even the token never change but sometime error occur.

https://www.youtube.com/watch?v=QDucHoP647g

I know this problem has been discussed from years but why does not exist a solution for this?

0 likes
8 replies
sebastian.virlan's avatar

This is irrelevant and does not fix the problem. If I make an update an return data will get same random error.

usama.ashraf's avatar

It is relevant since with a GET request you won't have to go through the CSRF protection middleware.

jimmck's avatar

The token is set on the server for your session. When the session timeout occurs a new token gets generated. Using csrf_token() in the header might catch it, might not. Its a timing issue. When the error occurs you just grab a new token. It does not matter on which platform the client is on. I SPA that stays up constantly, when the token expires i just get a new one. Set your session time real low, like 2 mins. And you will see what happens. Also you can just turn of CSRF protection for that route and use a JWT token to guard it.

jekinney's avatar

Had a similar issue. I moved the set up, specifically getting the token from an HTML element, on the ready function. Seemed to fix my issues.

sebastian.virlan's avatar

@jekinney somewhere you may be right. But I already had the ajax setup on a $(function() { // });

As I see everytime only the first ajax request from the loop fails, but if I look at the params the token exists!!

I will hardcode the token and come back with feedback.

Edit: So it fails even if I harcode the token, but only first time:

$(function () {
            $.ajaxSetup({
                data: {
                    _token: '0uDyscTNAZWV0wyAyhkFcnvlgubof0zdEG8XF5a4'
                }
            });
..............
VitaliBR's avatar

I have the same problem! :(

but in my notebook happens this random error TokenMismatchException, and on my desktop not.

Notebook = Windows 8 Desktop = Ubuntu 14

And I use Firefox on both

Please or to participate in this conversation.