Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

ralphmorris's avatar

Occasional TokenMismatch error - Is that normal?

Hi,

I launched my first Laravel app about 4 months ago with Laravel 5.2, Forge & Digital Ocean. All is going well so far but have noticed Sentry has flagged the TokenMismatch error 5 times since October 3rd. We have 225 users so far, approx 1000 users a month, average duration on the site is 5 mins.

It looks like 3 separate occasions though in 3 different parts of the site. I haven't found any issue when using those sections myself.

3rd Oct - Creating a resource. The user does not have to be logged in but has an account created after creating the resource. Many users have since created the same resource just fine.

10 Oct - 3 errors on the same user action. Update another resource with ajax. I have tested this but all seems to work fine for me. The user must be logged in to get to this page.

21 Oct - postLogin method when logging in.

I have read other posts where the TokenMismatch error is happening multiple times a day. Is it normal to get a few of these errors here and there?

Thanks!

Ralph

0 likes
5 replies
ejdelmonico's avatar
ejdelmonico
8 years ago
Best Answer
Level 53

@ralphmorris I get them every once in a while from my apps that contain auth. I use BugSnag and from there I can see who the user is, what device, browser. I figured out real quick that the same folks would have it happen. It turns out that they have some type of cookie/session cleaning app running for privacy. That is about all I know for this occasional issue. Another is with Guzzle, sometimes it fails and throws an error but the person completes the request directly afterward.

Just double check that you have your forms set up correctly with the token and that if using AJAX, you send it as a header or put a meta tag in the document head. Oh, yea, Opera mobile causes more than a few of those two errors.

Snapey's avatar

It can happen quite easily if the user goes away for a couple of hours whilst leaving your site 'open' on a form

They come back and fill in the form and you get a token mismatch because their session has expired

You can look at the logs and decide if that is a page that they might leave open. One thing I do is disable csrf on login forms because it is not doing any good there.

1 like
ralphmorris's avatar

Thanks guys for your responses. Congrats @Snapey on the 1000 best answers!

@ejdelmonico - Just to double check. My forms all contain the _token hidden input and all I'm doing is serialising the form with something like:

        $.ajax({
            type: "POST",
            url: $('form').attr('action'),
            data: $('form').serialize(),

So the token is inside with the form data.

In parts where I am sending an ajax request without the use of a form I use

        $.ajaxSetup({
            headers: {
                'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
            }
        });

@Snapey - would you mind expanding on why the CSRF isn't needed on the login form? One of the forms is located on the homepage so it's very possible that the user has left and come back later. The other is the login page so this would be possible also. The third is a logged in profile page where they can add/update bits of info.

Thanks!

Snapey's avatar

The point about a cross site request forgery is getting a user to action something when then gets posted back to a site they are currently authenticated with.

With a login form there is nothing that a bad actor could do indirectly that they could not do directly themselves through the login form.

So to me, if the user is not logged in then the forms they submit or are submitted in their name are not dangerous.

Not sure if I'm explaining it well...

1 like

Please or to participate in this conversation.