goatshark's avatar

CSRF mismatch with multipart/form-data

Hello humans,

I have a handful of forms in my application. They're all rendered by Blade. All but one of them are working. The one that is not working is throwing the csrf mismatch exception. I have checked the inspector and see that the token for this form is identical to the token for all of the other forms in my application. The only difference between this form and others is that it has an enctype of multipart/form-data.

Form generation on a form that works:

{!! Form::open(['route' => 'dhcp.sharedNetwork.store']) !!}

Form generation on this one form that doesn't work:

{!! Form::open(['route' => ['ont.software.store', $type->id], 'files' => true]) !!}

Other applicable, possibly interesting, and hopefully helpful facts:

  1. This form works in my dev environment (homestead). It is only on the production server that it isn't working. I have other applications that use multipart/form-data forms on the production server that seem to work.
  2. The php5-fpm version on the production server is 5.5.9 while the php5-fpm version in homestead is 5.6.11.

Any thoughts on this? Any suggestions for further troubleshooting this? Thanks in advance for any feedback!

0 likes
3 replies
goatshark's avatar

An update: I tested two things:

  1. I begrudgingly upgraded the production server to php 5.6. No change.
  2. I set another one of my forms to enctype multipart/form-data. That form is still happy....and working. Granted, there was no file uploaded with it, but that makes me think that this problem is not (or might not be) related to multipart/form-data.

grrrr....

goatshark's avatar
goatshark
OP
10 years ago
Best Answer
Level 14

Holy *&^%!!!

Fixed...I guess. So you know when you're trying to perform file uploads and you need to adjust nginx and php-fpm?

I had added client_max_body_size 100M; to /etc/nginx/nginx.conf, but I had not modified /etc/php5/fpm/php.ini so post_max_size and upload_max_filesize were still at their defaults. After making these modifications:

upload_max_filesize = 100M
post_max_size = 100M

Everything works. Here's the question..... how in the hell did this produce a CSRF mismatch?!?! Baffling to me.

xeezawaki's avatar

Hi there!

Had exactly the same problem, and I solved the same way you did. I think I know the cause of the CSRF mismatch, as my form was intended to upload big files (my testing file was 9MB in size), and my upload_max_filesize as well as post_max_size from php.ini were set to PHP defaults (2MB and 8MB)

My hypothesis is that if you upload a file bigger than the php.ini established limits, your CSRF input containing the token is not sent, (because PHP truncates or doesn't send anything at all). Then the middleware triggers the Token Mismatch exception, because it haven't recieved the CSRF input field with the token. (Haven't much time to watch and debug, those are just guessings).

That's my 0.5¢, please feel free to correct/expand/evaluate/deny this hypothesis.

Cheers!

Please or to participate in this conversation.