Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

lako's avatar
lako
OP
9 years ago
Level 2

TokenMismatchException in VerifyCsrfToken.php line 53:

Now I am going to manage session.

config/session.php

'lifetime' => 15,

customController.php

public function update(Request $request, $id)
    {
        if(Session::get('auth'))
        {
            $input = $request->all();

            $cons_cal = ConstructionCalendar::findOrFail($id);

            $cons_cal->update($input);

            return redirect()->back();
        }
        else
        {
            return view('errors.503');
        }
    }

By the way, after session expiration. I wanted this redirect to 503 page, but this says me like this.

Whoops, looks like something went wrong.

1/1 TokenMismatchException in VerifyCsrfToken.php line 53:

in VerifyCsrfToken.php line 53
at VerifyCsrfToken->handle(object(Request), object(Closure))
at call_user_func_array(array(object(VerifyCsrfToken), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in ShareErrorsFromSession.php line 49
at ShareErrorsFromSession->handle(object(Request), object(Closure))
at call_user_func_array(array(object(ShareErrorsFromSession), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in StartSession.php line 62
at StartSession->handle(object(Request), object(Closure))
at call_user_func_array(array(object(StartSession), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in AddQueuedCookiesToResponse.php line 37
at AddQueuedCookiesToResponse->handle(object(Request), object(Closure))
at call_user_func_array(array(object(AddQueuedCookiesToResponse), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in EncryptCookies.php line 59
at EncryptCookies->handle(object(Request), object(Closure))
at call_user_func_array(array(object(EncryptCookies), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in CheckForMaintenanceMode.php line 44
at CheckForMaintenanceMode->handle(object(Request), object(Closure))
at call_user_func_array(array(object(CheckForMaintenanceMode), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 103
at Pipeline->then(object(Closure)) in Kernel.php line 122
at Kernel->sendRequestThroughRouter(object(Request)) in Kernel.php line 87
at Kernel->handle(object(Request)) in index.php line 54
at require_once('D:\work\Laravel\JP_Project\SSS\public\index.php') in server.php line 21

How can I make this correct. Thank you for your any kind of help.

0 likes
12 replies
lako's avatar
lako
OP
9 years ago
Level 2

I think when the session is expired , the token number is removed.

<input name="_token" type="hidden" value="8HCraHYQoetUHYwmo7SAlkRsL6RjJgCifqbb16O8">

So I think I need to prevent this is become empty like this.

<input name="_token" type="hidden" value="">

Maybe, this is the problem?

'lifetime' => 15,

My template likes this.

{!! Form::open(['method' => 'POST', 'class' => 'ui fluid form', 'url' => URL::to('construction/' . $cons_cal->id)]) !!}
    ... ...
{!! Form::close() !!}

And it represent like below in browser.

<form method="POST" action="http://localhost:8000/construction/6166" accept-charset="UTF-8" class="ui fluid form">
    <input name="_token" type="hidden" value="8HCraHYQoetUHYwmo7SAlkRsL6RjJgCifqbb16O8">
    ... ...
</form>
Snapey's avatar

Once the session expires, the token in the form is no longer valid.

If you need to keep the session going for a long time (for instance, the user can go away for a while before coming back and completing the form) then you could consider a technique to keep the session going. https://packagist.org/packages/genealabs/laravel-caffeine

1 like
lako's avatar
lako
OP
9 years ago
Level 2

That was really nice. @Snapey . But I couldn't perform my purpose.

For now , the problem is to be the _token value empty (I think so when the session is expired based on the lifetime in config/session.php). Because the _token value becomes empty, I get this error when I click Submit button.

Whoops, looks like something went wrong.

1/1 TokenMismatchException in VerifyCsrfToken.php line 53:

I think so. So i need to prevent to become the _taken empty when I click the submit button after the session is expired.

Thanks for your consideration.

Snapey's avatar

the token should never be empty, but it will be invalid once the session expires.

lako's avatar
lako
OP
9 years ago
Level 2

How can I prevent it?

Snapey's avatar

what makes you think that the token is empty?

lako's avatar
lako
OP
9 years ago
Level 2

Because I get the above error, I thought it will be empty after the session is expired.

Snapey's avatar

you can view the token by just view source in your browser.

if you request a form from the server, the server provides the form with a valid csrf token. The server stores the token it has given you in its session store. When you later post the form, the server first checks to see if there is an ongoing session. if so, it loads session data such as the csrf token then compares it to the one provided with your form.

after the first request from client to server, nothing else happens at either end. After some period, you fill in the form and press submit. This time, the server checks is session store and finds out that the session you used to have has now expired. So, it starts a new session, but of course now there is no form token in the session to compare with. You get a token mismatch.

caffeine pings the server every 5 minutes to prevent the server session from expiring.

1 like
lako's avatar
lako
OP
9 years ago
Level 2

Thank you @Snapey Yes, I can see the token value by debugger at browser.

You are right. Caffeine plugin works well to persist the session with server.

But I have to expire the session in fixed time.

Just I need to persist the form _token after session is expired. I hope you understand what I want to do for now. Thanks

Snapey's avatar
Snapey
9 years ago
Best Answer
Level 122

Just I need to persist the form _token after session is expired.

Sorry, this is not possible. What does the form do? Could it be excluded from csrf check?

1 like
lako's avatar
lako
OP
9 years ago
Level 2

Could it be excluded from csrf check?

Yes

The form works to send some data via router.

And in fixed controller , if session is expired it returns to the 503.php.

By the way, for now the form does not work because the _token is invalid after session is expired.

lako's avatar
lako
OP
9 years ago
Level 2

I've used middleware for it. Thank you.

Please or to participate in this conversation.