Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

design_studio's avatar

'CSRF token mismatch' somtimes

The setup: I have a WordPress site (not mine) that is the main url (lets say 'example.com') I created a Laravel app which has a form. this app is located somewhere else on the server and the main site is linking to it using a symbolic link (lets say 'example.com/demo-form') All action for the Laravel app is done inside, with no relation to the WordPress main site.

The problem When submitting the (Laravel ) form, and it is done using js, I get CSRF token mismatch. error. another issue is I it is not consistent. Sometimes I get the error and other times not.

Any ideas ?

0 likes
3 replies
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

It sounds like you're encountering intermittent CSRF token validation issues with your Laravel application. Here are a few steps you can take to troubleshoot and potentially resolve the problem:

  1. Ensure Session Cookie Domain is Correct: If your Laravel app is on a subdomain or has been linked from the main domain, make sure that the session cookie is accessible. In your config/session.php, you can set the domain attribute to your main domain to ensure the session cookie is shared correctly.
'domain' => '.example.com',
  1. CSRF Token Meta Tag: Ensure that your Laravel app's layout includes the CSRF token meta tag. This should be present in the <head> section of your HTML.
<meta name="csrf-token" content="{{ csrf_token() }}">
  1. Update AJAX Setup: If you're using AJAX to submit the form, make sure that the CSRF token is included in the request. If you're using jQuery, you can set up a global AJAX setup like this:
$.ajaxSetup({
    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
    }
});

  1. Check Middleware: Ensure that the VerifyCsrfToken middleware is applied to your route. If you have custom middleware or if you've excluded the route from CSRF protection, this could be causing issues.

  2. Session Timeout: If the CSRF token mismatch occurs after a period of inactivity, it could be due to session timeout. You might want to increase the session lifetime in config/session.php.

'lifetime' => 120, // Time in minutes

  1. Cache Issues: Sometimes, a mismatch can occur if the application is being served from a cache. Make sure that the form page isn't being cached by setting appropriate headers.

  2. Logging for Debugging: Add logging to the App\Http\Middleware\VerifyCsrfToken middleware to log when a token mismatch occurs. This can help you identify patterns or specific conditions under which the mismatch happens.

protected function tokensMatch($request)
{
    $token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');

    if (!$token && $header = $request->header('X-XSRF-TOKEN')) {
        $token = $this->encrypter->decrypt($header, static::serialized());
    }

    if (!hash_equals($request->session()->token(), $token)) {
        // Log the mismatch details here
        Log::warning('CSRF token mismatch.', ['session_token' => $request->session()->token(), 'input_token' => $token]);
        return false;
    }

    return true;
}

  1. Clear Cookies and Cache: Advise users to clear their cookies and cache. Sometimes old or corrupted cookies can cause this issue.

  2. Cross-Origin Requests: If your form is being submitted from a different domain, ensure that you're not running into cross-origin issues. Laravel by default blocks cross-origin requests for security reasons.

If after trying these steps the issue persists, you may need to provide more specific details about your setup, including how the form is being submitted via JavaScript and any relevant configurations that might affect session or CSRF token handling.

Snapey's avatar

dont forget that the token is only valid for the session lifetime. If you leave the browser on the form for a couple of hours then come back and fill it out, posting will fail with a csrf error

design_studio's avatar

I think it is related to Cache Issues like the AI suggested. it says: "Make sure that the form page isn't being cached by setting appropriate headers". What headers do i need to set ?

Please or to participate in this conversation.