[5.12] G Chrome causes TokenMismatchException on form submit

After further investigation, it turns out that the token returned from the session often becomes regenerated. I don't know why. Is Google Chrome doing something stupid?

vendor\laravel\framework\src\Illuminate\Foundation\Http\Middleware\VerifyCsrToken.php:79

    public function handle($request, Closure $next)
    {
        dump($request->input('_token'));
        dump($request->header('X-CSRF-TOKEN'));
        dd($request->session()->token());
        if ($this->isReading($request) || $this->shouldPassThrough($request) || $this->tokensMatch($request)) {
            return $this->addCookieToResponse($request, $next($request));
        }

        throw new TokenMismatchException;
    }

Result:

"7MT0g2SwgejS2alE6xDoTqA1ZnT6FFbSIcaCawuS"
null
"NJhVgyUQxu82nOgkkBSzio8b7R8GM7pZJoYFnG5k"

The weird thing is how the correct token eventually comes back (Usually after 3-5 refreshes)

Does anyone have a clue why this may be?

I've also been having this issue for a while now and would really like to resolve it. So if anyone has any idea about what may be causing this, feel free to reply..

This is not a bug in Chrome. The token you use for your POST will eventually expire. When it does you get a new one and POST again. In 5.1 you can set the routes to ignore the token checking of you can grab a new token.

Sure the token will expire eventually, but in my case this is happening at the login screen which you only stay at for a very short period of time, thus the token should not expire. Also this happens every time when trying to login with the 'remember me' set to true.

It is the same for me. I hope someone can figure this one out.

I have the same problem, see: https://laracasts.com/discuss/channels/laravel/random-tokenmismatchexceptions

@OskarD I posted this in @skovmand 's thread, but I'll repeat it here.

The session most likely expired, and my suggestion would be open your app/Exceptions/Handler.php file and do something like this:

use Illuminate\Session\TokenMismatchException;

    public function render($request, Exception $e)
    {
        if ($e instanceof TokenMismatchException){
            return redirect()->back()->withInput()->with('error', 'Your session has expired');
        }
        return parent::render($request, $e);
    }

This is a copy of my post from my own question (https://laracasts.com/discuss/channels/laravel/random-tokenmismatchexceptions?page=1#reply-90181), but it is worth repeating here? Did anyone find a solution?

TL;DR: It is not session timeout.

The last two days I have done an experiment and put a hidden input field into my login-page. This field contains the time of the page load, so I can see how old the session is.

I just got a fresh TokenMismatchException thrown - and the session was only about 20 seconds old. This means that for some reason a new session had been initialised on the server, since the csrf_token has changed.

So, the error doesn't have anything to do with session expiration.

Any ideas? Any help would be very appeiciated!

You need to get a new token. Thats all.

I don't agree. It is the session being restarted randomly, which shouldn't happen.

Also I think you should be careful about opening a get-route for tokens, since that could be a security problem if it is discovered. That could open the door for CSRF again. Or in other words, your server should not allow CORS-requests.

it's a new packadge for this

https://github.com/GeneaLabs/laravel-caffeine

it will help you, in case of timeout

I have seen similar issues. using the dropzone plugin as per Jeffrey's project flyer, when selecting multiple files the upload would work for 3 or 4 files and then show token mismatch with the others. These were all uploaded in one drop so it makes no sense that the token should become invalid mid uploads (all seperate Ajax calls)

https://github.com/laravel/framework/issues/2314

I have updated my post with some strategies I have used for preventing it. It has helped so far, although the problem is not gone:

https://laracasts.com/discuss/channels/laravel/random-tokenmismatchexceptions

Thank you for sharing your progress @skovmand . I will try everything out once I get a chance to resume the project I was working on and let you know how it goes!

How it is this going? I am experiencing the same issues on the production environment.

The customer want to have sessions that lasts 30 days and it seems like this is causing some token mismatch errors according to the log files. The mismatch seems to be totally random, I cannot see a pattern.

I have looked on the threads on Github and here with no luck.

Later this week I will try to change to the DB-driver for sessions.

can you try to clear your cookies, session & all cache.. & then try again..

Hey. I'm having the same issue with Chrome. Very strange (and frustrating).

For me it's only when the "remember" cookie is set. If the remember is cookie set and I delete it, the form processes properly.

Firefox works fine, only Chrome is kicking back the Token Mismatch.

Just curious if anyone figured this out.

I am also experiencing this issue, have been trying to solve it for the better part of a week now. All the potential solutions posted online I've tried have been useless since it is occurring completely at random. Has anyone had any luck with fixing this yet? "Frustrating" is an understatement.

Hey @jessiesanford

I can definitely relate. This problem was driving me nuts. I had to switch from Wamp to Laragon. Thankfully I haven't had the problem since. Laragon is pretty cool https://laragon.org/

Check this thread I created if you're curious about my saga lol. Scroll to the bottom for the happy ending.

https://laracasts.com/discuss/channels/laravel/laravel-not-reading-session-cookie-on-form-post-in-chrome-when-logged-in-with-remember-me