Can&#39;t solve TokenMismatchException in VerifyCsrfToken.php line 53

Level 8

@kirchevsky check your session config path:

'files' => storage_path().'/framework/sessions',

Verify now in project folder structure it is the same.

Remove everything inside the session folder.

Try again.

Level 1

Tried to clear sessions folder, checked config, tried to move sessions to database. The situation the same.

Level 1

Sessions config there: http://pastebin.com/255ASyYu

VerifyCsrfToken class there:
http://pastebin.com/zMyTtTpL

App config there: http://pastebin.com/dihYY0EB

Routes there: http://pastebin.com/6xjt5w90

Level 1

When we try to disable csrf protection it's always redirects us to login page. I think that the problem inside Auth middleware but can`t locate it a few days.

P.S. I`m a beginner, so sorry for some stupid questions :)

thomaskim

Level 41

@kirchevsky What version of PHP are you running? With Laravel 5.1, you need to be running PHP >= 5.5.9.

zachleigh

Level 47

Does your browser accept cookies?

Level 1

PHP - 5.6.2 Browser accept cookies - tested with latest Safari and Chrome.

Level 27

@kirchevsky Okay, one matter at at time. Unless you've modified VerifyCsrfToken, or the sessions file in a drastic way, no point looking in there. config/app.php does nothing also in this realm.

You say you disable the csrf protection and you get redirected to the login?

where are you disabling it and how? (code, please)
which url are you hitting that redirects you to login once you disable csrf?
when do you get the original error? Is that during login?
"Using form generator so token is generating for the login form automatically." - What does that mean?
Have you tried to dump what's being posted during the login? -- IF not place the following in your routes.php instead of

Route::post('auth/login', 'Auth\AuthController@postLogin');

Replace with:

Route::post('auth/login', function(Illuminate\Http\Request $request){
    dd($request);
});

Share your findings then.

Best, sid

Level 1

sif405, thx for your answer.

VerifyCsrfToken is original now, all modifications i made is commented and that was just a try.

I disabled the csrf security in App\Http\Kernel.php by commenting the line:

//        \App\Http\Middleware\VerifyCsrfToken::class,

The '/home' route redirects me to the login page. Yes, the error is just after we pressing button Login. I mean that i don't put token to the form manually, it present in login form and generated by system. Dump - http://pastebin.com/amQiUmRs

Level 27

@kirchevsky It makes sense that you'd be directed to the auth if you hit home. You got the following in your routes file

Route::get('/home',[
    'middleware' => 'auth',
    'uses' => 'MainController@index'
]);

Also now let's try to dump

Route::post('auth/login', function(Illuminate\Http\Request $request){
    dd($request->input());
});

Can i see the login view?

Level 1

sid405, that what we have on dd($request->input()

array:3 [▼
  "_token" => "Z8DpsoKKc6SRAPYnvD0aIEQTn8GfTwvwJUcBWUFC"
  "email" => "xxx@xxx.com"
  "password" => "password"
]

The real data (login+password) replaced with sample data of course.

Level 1

@extends ('cleanlogout')

@section('content')
<div class="text-center">
                        <h3 class="page-header">Login</h3>
                    </div>
<div class="text-center">
<form method="POST" action="/auth/login">
    {!! csrf_field() !!}

    <div class="form-group">
        <label class="control-label">E-mail</label>
        <input class="form-control" type="email" name="email" value="{{ old('email') }}">
    </div>

    <div class="form-group">
        <label class="control-label">Password</label>
        <input class="form-control" type="password" name="password" id="password">
    </div>

    <div class="form-group">
        <input class="form-inline" type="checkbox" name="remember"> Remember Me
    </div>

    <div class="form-group">
        <button class="form-control" type="submit">Login</button>
    </div>
</form>
</div>
@stop

Level 27

@kirchevsky And even after you comment out Csrf in Kernel.php you get the same?

php artisan clear-compiled
composer dump-autoload

Other than that idk, i'd have to fiddle with the code myself.

Have you had a search round the forum for a similar issue?

Level 1

The login form from browser:

<form method="POST" action="/auth/login">
    <input type="hidden" name="_token" value="Z8DpsoKKc6SRAPYnvD0aIEQTn8GfTwvwJUcBWUFC">

    <div class="form-group">
        <label class="control-label">E-mail</label>
        <input class="form-control" type="email" name="email" value="">
    </div>

    <div class="form-group">
        <label class="control-label">Password</label>
        <input class="form-control" type="password" name="password" id="password">
    </div>

    <div class="form-group">
        <input class="form-inline" type="checkbox" name="remember"> Remember Me
    </div>

    <div class="form-group">
        <button class="form-control" type="submit">Login</button>
    </div>
</form>

Level 1

I've searched via Google all similar issues, tried all solutions founded on every website and nothing. The forum topic - it's a last thing i've tried :)

Level 1

https://dl.dropboxusercontent.com/u/35400710/tg.zip - the full archive of all this, if anybody will try to find a few minutes to help.

Level 27

Picking it up

Level 27

@kirchevsky OOOOOOKay. Solved. This was an interesting dive down the rabbit hole.

in config/roles.php, remove the white spaces before the <?php tag on the first line. That was preventing your session from being stored and caused that nasty 'Redirecting to ...' screen.
In MainController.php remove the guest middleware

// $this->middleware('guest');

You have 'auth' middleware on the route and guest on the controller. This causes a redirect loop and makes your app unusable

Enable \App\Http\Middleware\VerifyCsrfToken::class in Kernel.php
In config/sessions.php set domain

'domain' => null,

The problem was the cookie stored in the Session was not the one in the form.

in views/auth/login

{ {  csrf_field() } } instead of {!! csrf_field() !!}

That's it. Your app works just fine on my end.

Registers and logs in users with csrf protection as per usual. Now you can continue to implement your ACL

Best. sid

6 likes

Level 1

Will try :) And... you are my hero )))) Thx a lot!

vandyczech

Level 3

try :

csrf_token()

instead of:

csrf_field()

1 like

Level 1

Everything works fine. Thank you a lot. Sorry for stupid situation.

Level 27

@kirchevsky No worries buddy. ps don't forget to vote the answer :D

mario_ene

Level 6

This solution worked for me:

Add {{ csrf_field() }} anywhere in the form.

1 like

HireMedia

Level 1

i Have:

-   'files' => storage_path('/framework/sessions'),

-   <form method="POST" action="/auth/register">
        {!! csrf_field() !!}

I Do:

-   domain => 'domain.com' 

-   perm. to 777 on the folder -> framework/sessions

it works.

rluena

Level 1

Both routes, the one pointing to a form for registration and that processing registration, are suppose to inside web middleware https://youtu.be/hJIc9lVTJj4?t=23m2s

DougHubbard