Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I'm sorry for the long title. Although I've seen similar posts, this problem is specific.
I use Chrome for testing my projects. Seemingly out of nowhere I started getting TokenMismatch Exceptions when I submit forms. I knew this is could be because the CSRF token expires after some time. However this happens consistently, even if you submit the form immediately after the page loads. I eventually figured out the Exception only occurs when I checked "Remember Me" at login. Here are my test results:
Chrome + Uncheck Remember Me at login + Form Post = Success
Chrome + Check Remember Me at login + Form Post = TokenMismatch Exception
Chrome + Check Remember Me at login + Delete Remember Me Cookie + Form Post = Success
Firefox/IE + Check/Uncheck Remember Me at login + Form Post = Success
I figured out the reason why I'm getting TokenMismatch Exception. In between the form post I mysteriously lose the session. A new session generates automatically in the background, resulting in a new CSFR token, resulting in the TokenMismatch Exception.
I tried everything I could think of:
Absolutely none of these fix or change the problem. I've been at this for 2 days now, scouring Google for clues. I can't find any answers, only a few posts from people who may have had the same problem but haven't yet reported an answer. Very strange.
Finally, after a night's sleep I found my biggest clue yet. I setup a temporary dd($request) to reveal the request variables. When the TokenMismatch Exception occurs, within the response output I get:
Request
{+cookies: ParameterBag {
#parameters: array[
larvel_session: null
Note the "null" for larvel_session. When the form posts successfully (on Firefox with Remember Me cookie), the dd($request) outputs:
Request
{+cookies: ParameterBag {
#parameters: array:[
larvel_session: session_token_here
I checked the post headers in Chrome. Everything looks correct. Chrome is sending the session cookie to the server. I put a temporary var_dump($_COOKIE) at the top of the server.php file. Chrome is sending the cookie to PHP. However, the dd($request) shows me that Lavavel drops the ball somewhere, changing the value to null. Maybe there is some logic as to why it's doing this. Still, I need to fix it so the session persists and the form posts without a TokenMismatch Exception. The "session = null" is a great clue, but I don't nearly know enough about Laravel to troubleshoot past this point. What might be going on behind the scenes to cause Laravel to "null" the incoming session cookie when receiving a form post from Chrome along with the remember me cookie. It's a mouthful, but a valid description.
If you have experienced this phenomenon, please share the steps you took to repair it. Also, if you have any suggestions on how to solve this problem I would truly appreciate it, as will the next person frantically Googling for clues. I've come so far learning Laravel, I'd hate to have to stop here. Thanks!
Ok. Here's another clue. In App\Http\Kernel.php I commented out this line in middlewareGroups:
\App\Http\Middleware\EncryptCookies::class
Like magic it's working. I'm guessing the EncryptCookies middleware doesn't like the incoming cookie from Chrome.
Any thoughts how to troubleshoot from here?
Here's the latest big clue yet:
Although Chrome looks like it's sending the entire encrypted session cookie, the end of the cookie value is missing in Laravel.
Here is the session cookie value Chrome sends:
eyJpdiI6Ik1BY1M0XC9Ma3luZjlBdGp6S3BOWWZ3PT0iLCJ2YWx1ZSI6IkU1SEh5dDNLZEFRTmVGTTNZM2NkRVRiUExleWRlbGpcL1M2clR2VWlaTm1pQnhrSnl1djVhc2wzU3l5NHNaMDhhVGphaUVadGlqZEpJMmxxV2VVWUtZQT09IiwibWFjIjoiODBiMTQ3OTc4ZWFjNmVlNDA1YjhlZDA1YmNiYmFiMmJlOTcxMTczMjI3ZjFhZDZmYTQ0NjNmMmYyMTU2NDFkMiJ9
Here is what the server reports:
eyJpdiI6Ik1BY1M0XC9Ma3luZjlBdGp6S3BOWWZ3PT0iLCJ2YWx1ZSI6IkU1SEh5dDNLZEFRTmVGTTNZM2NkRVRiUExleWRlbGpcL1M2clR2VWlaTm1pQnhrSnl1djVhc2wzU3l5NHNaMDhhVGphaUVadGlqZEpJMmxxV2VVWUtZQT09IiwibWFjIjoiODBiMTQ3OTc4ZWFjNmVlNDA1YjhlZDA1YmNiYmFi
Here is the entire cookie string:
remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IndDS1lrTkxVeGdMY1N1XC9uVERyVWx3PT0iLCJ2YWx1ZSI6Im5jVUtKdG5FZ01QbkJnTDNJV1RMMnhpd3Nja1wvS1NESVV6Rm83MjdXQmFcLyszSUtvOGVIM2V2MUtWd0VpelJUU3hXRVhhMmdCR1JINEFTUzBMTTd4TGVcL0lSeTZleUMwZXBxb1hsK25SRmtNPSIsIm1hYyI6IjNjNmNhNGE2YWMwNmEwZjI1ODI2ZjU3ODE2M2ZlNDIwZWMzNDM0MTMyMzdmNTFkYmQ0YTY1NzFkZDNhM2RjMGUifQ%3D%3D; _gat=1; XSRF-TOKEN=eyJpdiI6IlQ2aHpnNmN0V2w1bWtKZU03SnlKeFE9PSIsInZhbHVlIjoiVWJhdzVSOXFibDhSRTJRcVQrWXBOVkVzN3NGSnFmb1ZFRlozTzlcL29La0F4dXZmU1U5dGZTOXdHMUl5NSs4Q3NDK1dXTVdacll0c1NBeXNzTXYzTnBRPT0iLCJtYWMiOiI2NGQ4ZTQwOTZjOWIzZTljMTlkYjcxNTEyMjNmY2FjNjhiZGFkYjA4YzRkMmYwZDM1Yzc4ZTVlZGQ3ZmE5YWNkIn0%3D; web_session=eyJpdiI6Ik1BY1M0XC9Ma3luZjlBdGp6S3BOWWZ3PT0iLCJ2YWx1ZSI6IkU1SEh5dDNLZEFRTmVGTTNZM2NkRVRiUExleWRlbGpcL1M2clR2VWlaTm1pQnhrSnl1djVhc2wzU3l5NHNaMDhhVGphaUVadGlqZEpJMmxxV2VVWUtZQT09IiwibWFjIjoiODBiMTQ3OTc4ZWFjNmVlNDA1YjhlZDA1YmNiYmFiMmJlOTcxMTczMjI3ZjFhZDZmYTQ0NjNmMmYyMTU2NDFkMiJ9; _ga=GA#.#.##########.##########
The total length is 988 characters. It cuts off after 907 characters. The final "_ga" cookie (not related to Laravel) doesn't even make it in.
Since Laravel doesn't receive the entire session cookie, the decryption fails and sets the session cookie value to "null", killing the session, CSRF token, and so forth. I still don't know where the breakdown is. If this is a problem with Laravel, why doesn't the same problem happen in other browsers?
My best guess is: with the remember me cookie encrypted, session cookie encrypted, and XSRF-TOKEN cookie encrypted, Chrome hits a limit of what it will send with my form post and decides to trim the cookies, actually only sending part of the value of my session cookie, causing Laravel to fail the decryption and "null" the session. But is this a problem with Chrome sending the cookies or a problem with Laravel receiving the cookies? For the moment I'm stuck. Any ideas?
Here are my thoughts:
I'm still hoping someone with more experience than I have can chime in and save me some steps. I'd appreciate it. Thanks!
I have same issue here.. did you have the solution yet..?
Hey @ramouspeppy
Unfortunately, no. I'm quite surprised more people haven't run into this problem, especially with all the praise Laravel gets.
I ended up disabling the Remember Me option. You can also disable Encrypt Cookies resulting in a smaller cookie size but I believe that will cause a security vulnerability.
If you find an answer, please share it. Thanks.
hi @natcave ... with this error, im still using this project. but im face with another problem... when I use yajra datatable package. then I try to load my table there is always error, then I try to refresh, its directly go to my login form. so im login with check "remember me" then the table was fine, but when is try to insert any data there is show up error tokenmismatch.. do you have same problem with me...
hi @natcave, I finnaly found the solution for our problems.. :D I change localhost engine. previously im using xampp, and then I change with laragon.. it works nicely.. :D hope this help you.... :D
That sounds great @ramouspeppy!
Where would I change the "engine"?
Wow!
So far so good.
So the culprit is wamp all along.
It would be great if they put a warning for the newbies migrating from wamp/xampp
Thanks so much @ramouspeppy!
I'm back to work. :-)
Please or to participate in this conversation.