Level 9
Can you verify that the value of the csrf-token is different when you look at the page in an incognito window compared to a regular (non-incognito) window?
1 like
Jul 17, 2020
29
Level 5
419|page expired error when trying to login
guys working with online examination project. simultaneously 3000 students will write the exam.
till yesterday the application worked fine. but today when student try to login they face this issue
419|page expired
why this happens??
this is my route file
Auth::routes();
Route::get('logout', '\App\Http\Controllers\Auth\LoginController@logout');
Route::get('/', 'HomeController@index')->name('home');
this is my login form
<form class="md-float-material form-material" method="POST" action="{{ route('login') }}">
{{ csrf_field() }}
<div class="agile-field-txt">
<input type="text" name="username" placeholder="username" />
</div>
<div class="agile-field-txt">
<input type="password" name="password" placeholder="Password" required="" id="myInput" />
</div>
<div class="w3ls-bot">
<input type="submit" value="LOGIN">
</div>
</form>
this is my config/session.php
<?php
use Illuminate\Support\Str;
return [
/*
|--------------------------------------------------------------------------
| Default Session Driver
|--------------------------------------------------------------------------
|
| This option controls the default session "driver" that will be used on
| requests. By default, we will use the lightweight native driver but
| you may specify any of the other wonderful drivers provided here.
|
| Supported: "file", "cookie", "database", "apc",
| "memcached", "redis", "dynamodb", "array"
|
*/
'driver' => env('SESSION_DRIVER', 'file'),
/*
|--------------------------------------------------------------------------
| Session Lifetime
|--------------------------------------------------------------------------
|
| Here you may specify the number of minutes that you wish the session
| to be allowed to remain idle before it expires. If you want them
| to immediately expire on the browser closing, set that option.
|
*/
'lifetime' => env('SESSION_LIFETIME', 120),
'expire_on_close' => false,
/*
|--------------------------------------------------------------------------
| Session Encryption
|--------------------------------------------------------------------------
|
| This option allows you to easily specify that all of your session data
| should be encrypted before it is stored. All encryption will be run
| automatically by Laravel and you can use the Session like normal.
|
*/
'encrypt' => false,
/*
|--------------------------------------------------------------------------
| Session File Location
|--------------------------------------------------------------------------
|
| When using the native session driver, we need a location where session
| files may be stored. A default has been set for you but a different
| location may be specified. This is only needed for file sessions.
|
*/
'files' => storage_path('framework/sessions'),
/*
|--------------------------------------------------------------------------
| Session Database Connection
|--------------------------------------------------------------------------
|
| When using the "database" or "redis" session drivers, you may specify a
| connection that should be used to manage these sessions. This should
| correspond to a connection in your database configuration options.
|
*/
'connection' => env('SESSION_CONNECTION', null),
/*
|--------------------------------------------------------------------------
| Session Database Table
|--------------------------------------------------------------------------
|
| When using the "database" session driver, you may specify the table we
| should use to manage the sessions. Of course, a sensible default is
| provided for you; however, you are free to change this as needed.
|
*/
'table' => 'sessions',
/*
|--------------------------------------------------------------------------
| Session Cache Store
|--------------------------------------------------------------------------
|
| When using the "apc", "memcached", or "dynamodb" session drivers you may
| list a cache store that should be used for these sessions. This value
| must match with one of the application's configured cache "stores".
|
*/
'store' => env('SESSION_STORE', null),
/*
|--------------------------------------------------------------------------
| Session Sweeping Lottery
|--------------------------------------------------------------------------
|
| Some session drivers must manually sweep their storage location to get
| rid of old sessions from storage. Here are the chances that it will
| happen on a given request. By default, the odds are 2 out of 100.
|
*/
'lottery' => [2, 100],
/*
|--------------------------------------------------------------------------
| Session Cookie Name
|--------------------------------------------------------------------------
|
| Here you may change the name of the cookie used to identify a session
| instance by ID. The name specified here will get used every time a
| new session cookie is created by the framework for every driver.
|
*/
'cookie' => env(
'SESSION_COOKIE',
Str::slug(env('APP_NAME', 'laravel'), '_').'_session'
),
/*
|--------------------------------------------------------------------------
| Session Cookie Path
|--------------------------------------------------------------------------
|
| The session cookie path determines the path for which the cookie will
| be regarded as available. Typically, this will be the root path of
| your application but you are free to change this when necessary.
|
*/
'path' => '/',
/*
|--------------------------------------------------------------------------
| Session Cookie Domain
|--------------------------------------------------------------------------
|
| Here you may change the domain of the cookie used to identify a session
| in your application. This will determine which domains the cookie is
| available to in your application. A sensible default has been set.
|
*/
'domain' => env('SESSION_DOMAIN', null),
/*
|--------------------------------------------------------------------------
| HTTPS Only Cookies
|--------------------------------------------------------------------------
|
| By setting this option to true, session cookies will only be sent back
| to the server if the browser has a HTTPS connection. This will keep
| the cookie from being sent to you if it can not be done securely.
|
*/
'secure' => env('SESSION_SECURE_COOKIE', false),
/*
|--------------------------------------------------------------------------
| HTTP Access Only
|--------------------------------------------------------------------------
|
| Setting this value to true will prevent JavaScript from accessing the
| value of the cookie and the cookie will only be accessible through
| the HTTP protocol. You are free to modify this option if needed.
|
*/
'http_only' => true,
/*
|--------------------------------------------------------------------------
| Same-Site Cookies
|--------------------------------------------------------------------------
|
| This option determines how your cookies behave when cross-site requests
| take place, and can be used to mitigate CSRF attacks. By default, we
| do not enable this as other CSRF protection services are in place.
|
| Supported: "lax", "strict", "none"
|
*/
'same_site' => null,
];
this is the link: nissimax.com/Student-Login-Page
when i click this it changes like this https://www.nissimax.com/Student-Login-Page/login
everthing is ok. now i gave the login details and i pressed login button it shows 419|page expired error
why??
this is my login controller
<?php
namespace App\Http\Controllers\Auth;
use App\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\AuthenticatesUsers;
use Illuminate\Http\Request;
use App\Http\Requests;
use App\User;
use Alert;
use Session;
use App\AcademicYear;
use Illuminate\Validation\Rule;
use Auth;
class LoginController extends Controller
{
/*
|--------------------------------------------------------------------------
| Login Controller
|--------------------------------------------------------------------------
|
| This controller handles authenticating users for the application and
| redirecting them to your home screen. The controller uses a trait
| to conveniently provide its functionality to your applications.
|
*/
use AuthenticatesUsers;
/**
* Where to redirect users after login.
*
* @var string
*/
protected $redirectTo = '/';
/**
* Create a new controller instance.
*
* @return void
*/
public function __construct()
{
$this->middleware('guest')->except('logout');
}
public function login(Request $request)
{
if (auth()->attempt(request(['username', 'password'])) == true ) {
return redirect()->route('home');
}
else {
return back()->withErrors([
'message' => 'The email or password is incorrect, please try again',
]);
}
}
}
what may be the issue.
when i googled it most of them said to add csrf token. i have the csrf token. but still didnt work. i hve the csrf token in my login form.
i have a logout function so what i did is nissimax.com/Student-Login-Page/logout it redirected to login page. then i tried to login but the same error.
i changed my browser, checked in incognito mode. also gave
php artisan cache clear, optimize, view clear, route clear everything.
but not working. please some one help pleaseee
Level 2
hi jeffreyvanrossum,
i have face 419 status code problem today and after messing with my code whole day finally your this reply help me alot, but how it is possible that in incogneto window csrf token has different value than normal window
Level 5
@jeffreyvanrossum thank you so much for your response
how to check that
Level 5
@jeffreyvanrossum its not moving to the login controller. even i ginve wrong username and password it just says 419|page expired only
Level 9
Check the source code of the page in both incognito and normal and look for the csrf token meta field at the top of the page. Check if they are identical.
If they are, it might be cache related. Have you configured any form of caching?
Level 5
@jeffreyvanrossum thank you
i check the csrf toke the values are changing in normal browser and incognito ..
i have these codings in my route
Route::get('/cc', function () {
Artisan::call('cache:clear');
echo '<script>alert("cache clear Success")</script>';
});
Route::get('/ccc', function () {
Artisan::call('config:cache');
echo '<script>alert("config cache Success")</script>';
});
Route::get('/vc', function () {
Artisan::call('view:clear');
echo '<script>alert("view clear Success")</script>';
});
Route::get('/cr', function () {
Artisan::call('route:cache');
echo '<script>alert("route clear Success")</script>';
});
Route::get('/coc', function () {
Artisan::call('config:clear');
echo '<script>alert("config clear Success")</script>';
});
Route::get('/storage123', function () {
Artisan::call('storage:link');
echo '<script>alert("linked")</script>';
});
so i cleared the the cache, route, confiq etc till not working please any suggestion
Level 9
Level 1
Check this out, worked for me: https://www.edureka.co/community/65695/error-419-sorry-your-session-has-expired-post-request-laravel
1st, check the login form has a @csrf token:
<form method="POST" action="{{ route('login') }}">
@csrf
....
2do, check your .env file, for SESSION_DOMAIN, use empty if you are local (127.0.0.1...)
SESSION_DOMAIN=
or put your actual domain if you are live
SESSION_DOMAIN=domain.com
21 likes
Level 4
Thanks so much. This is was the issue for me!
Level 2
Thank you. This solved it for me.
Level 1
Thank You!
Level 2
Thank you for posting this tip! I was freaking out when I couldn't log in. I am working on localhost on a new site in dev and just turned off browser-sync. :) SESSION_DOMAIN was set for localhost:3000 ugh
@franzag Thanks a lot for sharing valuable content.. I got a solution.. Thanks once again
Level 5
This is a problem I have seen a few times, and is usually when using apache.
If there are any stray characters or new lines before the opening <?php in any of the files that get executed then those characters are emitted by the web server before cookies are prepared and sent.
This blocks cookies from being send to the client, and the client has to start a new session on every request.
Unfortunately, the only solution is to look at every file you have created or modified (not too bad if you use Git) and ensure that <?php are the first characters in every php file.
You can ignore view files because they are not used until after the cookies are sent.
Most likely candidates are controllers, service providers and route files.
Level 122
@tarikmanoar can't believe you copied my previous answer word for word and posted it as your own.
https://laracasts.com/discuss/channels/general-discussion/problem-with-cookies-after-deployment-into-shared-host?page=1&replyId=599559
What a low-life.
6 likes
Level 1
@Snapey It's work for me
Level 1
thank you @snapey your answers help me fixed my problem, i added ob_start() in my index.php , i do know it's not ideal but it worked i looked for that stray character and found nothing. The server i am using is ngnix.
Level 1
Thankyou.
Level 1
I have solved the session problem (419-page Expire) session as a database. I think it would be helpful.
Change .env variable to
SESSION_DRIVER=database
SESSION_LIFETIME=120
run this commands
php artisan session:table
php artisan cache:clear
php artisan migrate
Level 1
@najathi You have change the way of session storage. Laravel stores session mostly in database or file.
Level 21
Check if you have domain in the config/session.php setup to the right path. Even I had got the same problem. And resolved it just by changing that path.
Level 1
I has the same problem when deploying in production server. I installed passport, then clear cache:
composer require laravel/passport
php artisan migrate
php artisan passport:install
php artisan config:cache
Level 1
I solved by this problem with clearing the cache.
Route::get('/clear', function() { Artisan::call('cache:clear'); Artisan::call('config:cache'); Artisan::call('view:clear'); return "Cleared!"; });
Level 1
Just add Auth::routes(); to your web.php file
Level 8
I've seen a lot of questions about this 419 Page expired error thing.
This package will solve the issue, laravel-caffeine
composer require genealabs/laravel-caffeine
Read more here
Level 3
In our case (using Fortify package) I found that mobile browsers more aggressively grab cached version of login page, resulting in defunct csrf value, etc. To overcome I added additional headers to middleware setting in config/fortify.php:
...
'middleware' => ['web', 'cache.headers:no_store;must_revalidate;max_age=0'],
...
Level 1
hi, i am having the same issue this is my functions public function login() { return view('auth.login'); }
public function authenticate(Request $request)
{
$credentials = $request->validate([
'email' => 'required|email',
'password' => 'required'
]);
// Check if the email exists in the 'users' table
$user = User::where('email', $credentials['email'])->first();
if (!$user) {
return back()->withErrors([
'email' => 'Email is not yet registered.',
])->onlyInput('email');
}
if (Auth::attempt($credentials)) {
$user = Auth::user();
$request->session()->regenerate();
auth()->user()->generateCode();
return redirect()->route('2fa.index');
}
return back()->withErrors([
'password' => 'Password do not match in our records.',
])->onlyInput('password');
}
this is my routes Route::get('/login', [PageController::class, 'login'])->name('login'); Route::get('/register', [PageController::class, 'register'])->name('register'); Route::post('/authenticate', [PageController::class, 'authenticate'])->name('authenticate'); Route::post('logout', [PageController::class, 'logout'])->name('logout'); Route::post('/store', [PageController::class, 'store'])->name('store'); Route::get('2fa', [TwoFAController::class, 'index'])->name('2fa.index'); Route::post('2fa', [TwoFAController::class, 'store'])->name('2fa.post'); Route::get('2fa/reset', [TwoFAController::class, 'resend'])->name('2fa.resend'); Route::get('account/verify/{token}', [PageController::class, 'verifyAccount'])->name('user.verify');
the session in config/session.php is set to "file" as well as for .env it is working for me but for some users they are experiencing the 419 error
Level 122
@mstrph28 new questions are free of charge
1 like
Level 4
Just ran accross the same problem on my local app.
Turns out, I use Valet with self-hosted certificates and I was accessing the app via http://
Switching to https:// resolved the problem.
Please or to participate in this conversation.