Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

crork's avatar
crork
OP
9 years ago
Level 8

TokenMismatchException

Hello everyone,

i know this topic was discussed a lot, but here is an issue which seems little bit different to me

i'm using Laravel Framework version 5.1.29 (LTS) with ErrBit logger and i get a lot of TokenMismatchException errors like this:

in [project_root]/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php on line 53

/ → Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::handle
[project_root]/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:124 → call_user_func_array
[project_root]/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php:49 → Illuminate\Pipeline\Pipeline::Illuminate\Pipeline{closure}
/ → Illuminate\View\Middleware\ShareErrorsFromSession::handle
[project_root]/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:124 → call_user_func_array
[project_root]/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php:62 → Illuminate\Pipeline\Pipeline::Illuminate\Pipeline{closure}
/ → Illuminate\Session\Middleware\StartSession::handle
[project_root]/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:124 → call_user_func_array
[project_root]/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php:37 → Illuminate\Pipeline\Pipeline::Illuminate\Pipeline{closure}
/ → Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::handle
[project_root]/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:124 → call_user_func_array
[project_root]/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php:59 → Illuminate\Pipeline\Pipeline::Illuminate\Pipeline{closure}
/ → Illuminate\Cookie\Middleware\EncryptCookies::handle
[project_root]/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:124 → call_user_func_array
[project_root]/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/CheckForMaintenanceMode.php:44 → Illuminate\Pipeline\Pipeline::Illuminate\Pipeline{closure}
/ → Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::handle
[project_root]/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:124 → call_user_func_array
/ → Illuminate\Pipeline\Pipeline::Illuminate\Pipeline{closure}
[project_root]/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:103 → call_user_func
[project_root]/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php:122 → Illuminate\Pipeline\Pipeline::then
[project_root]/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php:87 → Illuminate\Foundation\Http\Kernel::sendRequestThroughRouter
[project_root]/public/index.php:54 → Illuminate\Foundation\Http\Kernel::handle

and here is the thing which looks odd for me:

REQUEST_URI account.sonyentertainmentnetwork.com:443
SERVER_NAME account.sonyentertainmentnetwork.com

REQUEST_URI www.baidu.com:443
SERVER_NAME www.baidu.com

REQUEST_URI www.alipay.com:443
SERVER_NAME www.alipay.com

Do you guys have any idea why this might happen ?

0 likes
6 replies
thefuzzy0ne's avatar

Are you sure you're including the csrf_field() in the form?

SukhGill's avatar

It has to be included in the form, if you are processing the form via Ajax / Jquery, you will need to add the token to the meta header

crork's avatar
crork
OP
9 years ago
Level 8

@thefuzzy0ne, @SukhGill - thanks for your reply guys,

yes, sure, CSRF token is included in the form and everything works fine when using web application

the issue is that i'm keep receiving errors with strange REQUEST_URI and SERVER_NAME in POST requests tied to "TokenMismatchException" error,

so the main question is - why those urls could be in POST requests while they are not related to this project at all

crork's avatar
crork
OP
9 years ago
Level 8

i mean is there any chance that someone try to hack it ?

or could it be some crawler bot or something of this kind ?

maybe someone already experienced this

thefuzzy0ne's avatar

I don't know for a fact, but I immediately suspected that these systems might have been compromised and are trying to submit a form to your server without the CSRF token. You might need to write a little code into your form validation that will only allow forms accept submissions that originate from your server.

Is this form publicly available, or should it only be available to authenticated users?

crork's avatar
crork
OP
9 years ago
Level 8

I've found another interesting fact that proves that they were not using forms at all $_SERVER['REQUEST_METHOD'] was either "CONNECT" or "PROPFIND" instead of get/post

so here is my temporary solution on the top of public/index.php:

if(in_array($_SERVER['REQUEST_METHOD'],['CONNECT', 'PROPFIND'])) exit;

if you know how to disable those requests in more stylish way - feel free to comment =)

Please or to participate in this conversation.