419 - Session Expired without event authentication after deployment | Laravel 5.7

Hello @hussain_nayani ,

From your explanation, I'm assuming that you've created two web services for signing a user and registering a user. Laravel has a built-in mechanism for CSRF protection. In all POST requests, additional csrf_token is expected as a parameter, and this parameter is being checked on serverside. You can generate csrf token using

csrf_token();//helper
//or
//
<form method="POST" action="/profile">
    @csrf
    ...
</form>

Please go through documentation.

You can disable this csrf protection by specifying your routes as you've done

<?php
namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        "api/login",
        "api/register"
    ];
}

However, this may not be good practice, since in the future you may need to work on API with either GET or POST or whatever methods.

Another simple solution is to use api.php file for your API routes. It's already there in routes directory from 5.3. If you go to Kernal.php, you'll see two middleware groups.web middleware group is applicable for your web routes, i.e. routes you've added in web.php file, and api group is applicable for routes added in api.php file. A class VerifyCsrfToken is being called only for web routes.

<?php

namespace App\Http;

use Illuminate\Foundation\Http\Kernel as HttpKernel;

class Kernel extends HttpKernel
{

    ...
    protected $middlewareGroups = [
        'web' => [
            ...
            \App\Http\Middleware\VerifyCsrfToken::class,
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],
        'api' => [
            ...,
        ],
    ];
    ...
}

I would suggest you add these two routes in api.php.

Apology for the long explanation.

Thank-you so much @abhijeet9920 for your response to the matter and your long explanation is much appreciated. However I regret to tell you that this didn't worked.

I am not getting the session expired error now but still unable to get logged in.

The Auth::user() still returns null

PS: I am sorry for my dumb questions/responses. I am new to Laraval.

Even a dumb question makes a valid point, so no problem. It will be really helpful if you give a sample code. If I'm not wrong, you're working on API authentication.

You can visit here. This will be really helpful to you.

Thanks @abhijeet9920 for being so positive.

No, I am not using API authenticate, instead I am working an a web application. Here's the code of the login form. Please let me know if you want me to share any other code snippets form my app.

<form method="POST" action="{{ route('login.post') }}" class="login-form clearfix">
                {{ csrf_field() }}

                <div class="bg-blue">
                    <div class="reflection"></div>
                </div>

                <div class="login form-inner clearfix">
                    <a href="{{ route('register') }}" class="register" data-toggle="tooltip" data-placement="top" title="{{ trans('user::auth.register') }}" rel="tooltip">
                        <i class="fa fa-user-plus" aria-hidden="true"></i>
                    </a>

                    <h3>{{ trans('user::auth.login') }}</h3>

                    <div class="form-group {{ $errors->has('email') ? 'has-error': '' }}">
                        <label for="email">{{ trans('user::auth.email') }}<span>*</span></label>

                        <input type="text" name="email" value="{{ old('email') }}" class="form-control" id="email" placeholder="{{ trans('user::attributes.users.email') }}" autofocus>

                        <div class="input-icon">
                            <i class="fa fa-envelope-o" aria-hidden="true"></i>
                        </div>

                        {!! $errors->first('email', '<span class="error-message">:message</span>') !!}
                    </div>

                    <div class="form-group {{ $errors->has('password') ? 'has-error': '' }}">
                        <label for="password">{{ trans('user::auth.password') }}<span>*</span></label>

                        <input type="password" name="password" class="form-control" id="password" placeholder="{{ trans('user::attributes.users.password') }}">

                        <div class="input-icon">
                            <i class="fa fa-lock" aria-hidden="true"></i>
                        </div>

                        {!! $errors->first('password', '<span class="error-message">:message</span>') !!}
                    </div>

                    <div class="clearfix"></div>

                    <button type="submit" class="btn btn-primary btn-center btn-login" data-loading>
                        {{ trans('user::auth.login') }}
                    </button>

                    <div class="checkbox pull-left">
                        <input type="hidden" value="0">
                        <input type="checkbox" value="1" id="remember">

                        <label for="remember">{{ trans('user::auth.remember_me') }}</label>
                    </div>

                    <a href="{{ route('reset') }}" class="forgot-password pull-right">
                        {{ trans('user::auth.forgot_password') }}
                    </a>
                </div>
            </form>

Consider this problem from yesterday, and the accepted answer. It may apply in your case also.

https://laracasts.com/discuss/channels/general-discussion/problem-with-cookies-after-deployment-into-shared-host

Hello @snapey thank-you for you response.

I used this command to find all the files with the blank first line and found some view files find . -name '*php' -exec awk 'NR==1&&/^$/{print FILENAME}' {} \;

Unfortunately it didn't helped.

as I said in that post, view files will not be an issue

and its not just blank lines. Its ANY character before the <?php

Thank-you so much @snapey

After spending hours I found a file that have a space before starting PHP tag.

Thank you much sir. You saved my life.

Hi @hussain_nayani Can you explain better what was the solution? I have the same problem.

@juanfecode You may have some characters before <?php in one of your files

@snapey Thank you, but I did not find any files with this problem.

Another page they suggested to disable @csrf with this code. I added it to the VerifiCsrfToke.class and it worked.

I still don't understand the cause of this error?

 public function handle($request, \Closure $next)
    {
        if (in_array(env('APP_ENV'), ['local', 'dev'])) {
            return $next($request);
        }

        return parent::handle($request, $next);
    }