Level 25
Does your database have the session table?
Aug 23, 2024
5
Level 14
CSRF token mismatch/419 errors when session set to database
Hi all,
I have this view:
<form method="post" action="{{ route('test.update') }}">
@csrf()
<button>test</button>
</form>
and these routes with a controller:
<?php
use Illuminate\Support\Facades\Route;
Route::group(['namespace' => 'App\Http\Controllers'], function () {
Route::get('test', ['uses' => 'TestController@index', 'as' => 'test']);
Route::post('test', ['uses' => 'TestController@update', 'as' => 'test.update']);
});
<?php
namespace App\Http\Controllers;
class TestController extends Controller
{
public function index(){
return view('test');
}
public function update(){
return 'success';
}
}
Here is my .env:
APP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:2ugfy4CpKmGxRKufFas7rmWpMIpnxV0s+hDitdNdGI8=
APP_DEBUG=true
APP_TIMEZONE=UTC
APP_URL=http://localhost
APP_LOCALE=en
APP_FALLBACK_LOCALE=en
APP_FAKER_LOCALE=en_GB
APP_MAINTENANCE_DRIVER=file
APP_MAINTENANCE_STORE=database
BCRYPT_ROUNDS=12
LOG_CHANNEL=stack
LOG_STACK=single
LOG_DEPRECATIONS_CHANNEL=null
LOG_LEVEL=debug
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=laravel
DB_USERNAME=root
DB_PASSWORD=
SESSION_DRIVER=file
SESSION_LIFETIME=120
SESSION_ENCRYPT=false
SESSION_PATH=/
SESSION_DOMAIN=null
BROADCAST_CONNECTION=log
FILESYSTEM_DISK=local
QUEUE_CONNECTION=database
CACHE_STORE=database
CACHE_PREFIX=
MEMCACHED_HOST=127.0.0.1
REDIS_CLIENT=phpredis
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
MAIL_MAILER=log
MAIL_HOST=127.0.0.1
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
MAIL_FROM_ADDRESS="[email protected]"
MAIL_FROM_NAME="${APP_NAME}"
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=
AWS_USE_PATH_STYLE_ENDPOINT=false
VITE_APP_NAME="${APP_NAME}"
If I set my SESSION_DRIVER=file then everything works as expected, but if I set it to SESSION_DRIVER=database then I get a 419 error
What could be causing the issue?
Level 14
@aleahy yes, and if I set it to database then I get records stored in it
INSERT INTO `sessions` (`id`, `user_id`, `ip_address`, `user_agent`, `payload`, `last_activity`) VALUES
('SFaUwANHgDeFwVHMRSh4nZvjqtpHntDXwTnmz2o2', NULL, '127.0.0.1', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0', 'YTozOntzOjY6Il90b2tlbiI7czo0MDoiTXd0elJiSzc1WjRLMGtaRHZQeEw5SWtZdkU1elVpSDROa3h3RXVzQyI7czo5OiJfcHJldmlvdXMiO2E6MTp7czozOiJ1cmwiO3M6Mjc6Imh0dHA6Ly9sb2NhbGhvc3Q6ODAwMC9sb2dpbiI7fXM6NjoiX2ZsYXNoIjthOjI6e3M6Mzoib2xkIjthOjA6e31zOjM6Im5ldyI7YTowOnt9fX0=', 1724463562);
That's the record I get
Level 14
another weird thing is if I'm logged out then everything works, but if I log in then I just get 419/token mismatch errors on every post/patch route
EDIT: I've noticed that I'm not getting any session records when I'm logged in
here is how I'm logging in:
<?php
namespace App\Http\Controllers;
use App\Http\Requests\Auth\AuthLoginRequest;
use Illuminate\Http\RedirectResponse;
use Illuminate\Support\Facades\Auth;
use Illuminate\View\View;
class AuthController extends Controller
{
public function showLoginForm(): View
{
return view('auth.login');
}
public function login(AuthLoginRequest $request): RedirectResponse
{
$credentials = $request->only('username', 'password');
if (Auth::attempt($credentials, true)) {
$request->session()->regenerate();
$request->session()->flash('success', 'Login successful!');
return redirect()->intended(route('home'));
}
return redirect()->back()->withErrors(['username' => 'Incorrect username or password.']);
}
EDIT AGAIN: I think I've found the issue, in config/auth.php I've changed it to:
'providers' => [
// 'users' => [
// 'driver' => 'eloquent',
// 'model' => env('AUTH_MODEL', App\Models\User::class),
// ],
'users' => [
'driver' => 'database',
'table' => 'users',
],
],
And now I think everything is ok, my tests are all passing now, I'll test more and come back if it's still broken
Level 122
419 errors are often actually session issues and nothing to do with the csrf token
Level 14
@Snapey it was a session issue, took me hours to debug it
Please or to participate in this conversation.