Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

postitief's avatar

Unexplainded TokenMismatchException

Hello,

On a production site, running on Laravel 5.2, I'm getting a TokenMismatchException. This happens several times at a day, but I can't find out which form / code causes this error. I also can't reproduce this myself. The error's are listed in the laravel log file.

How can I debug this error on production environment without disturbing the visitor so I can fix this issue?

Below a copy of this error.

exception 'Illuminate\Session\TokenMismatchException' 
in /path/to/laravelsite/bootstrap/cache/compiled.php:3027

Stack trace:
#0 [internal function]: Illuminate\Foundation\Http\Middleware\VerifyCsrfToken->handle(Object(Illuminate\Http\Request), Object(Closure))
#1 /path/to/laravelsite/bootstrap/cache/compiled.php(9528): call_user_func_array(Array, Array)
#2 /path/to/laravelsite/bootstrap/cache/compiled.php(12943): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))
#3 [internal function]: Illuminate\View\Middleware\ShareErrorsFromSession->handle(Object(Illuminate\Http\Request), Object(Closure))
#4 /path/to/laravelsite/bootstrap/cache/compiled.php(9528): call_user_func_array(Array, Array)
#5 /path/to/laravelsite/bootstrap/cache/compiled.php(11530): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))
#6 [internal function]: Illuminate\Session\Middleware\StartSession->handle(Object(Illuminate\Http\Request), Object(Closure))
#7 /path/to/laravelsite/bootstrap/cache/compiled.php(9528): call_user_func_array(Array, Array)
#8 /path/to/laravelsite/bootstrap/cache/compiled.php(12682): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))
#9 [internal function]: Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse->handle(Object(Illuminate\Http\Request), Object(Closure))
#10 /path/to/laravelsite/bootstrap/cache/compiled.php(9528): call_user_func_array(Array, Array)
#11 /path/to/laravelsite/bootstrap/cache/compiled.php(12619): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))
#12 [internal function]: Illuminate\Cookie\Middleware\EncryptCookies->handle(Object(Illuminate\Http\Request), Object(Closure))
#13 /path/to/laravelsite/bootstrap/cache/compiled.php(9528): call_user_func_array(Array, Array)
#14 /path/to/laravelsite/bootstrap/cache/compiled.php(3086): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))
#15 [internal function]: Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode->handle(Object(Illuminate\Http\Request), Object(Closure))
#16 /path/to/laravelsite/bootstrap/cache/compiled.php(9528): call_user_func_array(Array, Array)
#17 /path/to/laravelsite/app/Http/Middleware/Language.php(60): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))
#18 [internal function]: App\Http\Middleware\Language->handle(Object(Illuminate\Http\Request), Object(Closure))
#19 /path/to/laravelsite/bootstrap/cache/compiled.php(9528): call_user_func_array(Array, Array)
#20 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))
#21 /path/to/laravelsite/bootstrap/cache/compiled.php(9518): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#22 /path/to/laravelsite/bootstrap/cache/compiled.php(2296): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#23 /path/to/laravelsite/bootstrap/cache/compiled.php(2280): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter(Object(Illuminate\Http\Request))
#24 /path/to/laravelsite/public/index.php(54): Illuminate\Foundation\Http\Kernel->handle(Object(Illuminate\Http\Request))
#25 {main}
0 likes
6 replies
Jaytee's avatar

Make sure you have the 'web' middleware assigned to your routes.

Any routes that include forms, sessions etc are to have the web middleware route.

schir1964's avatar

You can also get this error when the session times out and you submit a form that has been sitting there. There is another thread that talks about this. But may not have anything to do with your particular issue.

Snapey's avatar

as @schir1964 says, this can definitely be an issue, especially if your home page has a login form or if your logout action takes the user to a login page. They logout, go away, come back to their computer hours later, fill in their details and press submit = token mismatch.

In my opinion, it should be safe to have no csrf required on a login page. Anyway, this is supposing its login that is causing the issue.

There is a package, Laravel Caffeine that solves this by contacting the server by ajax every 5 minutes to say 'still here'.

https://packagist.org/packages/genealabs/laravel-caffeine

And also a short writeup here on laravel daily http://laraveldaily.com/caffeine-package-prevent-forms-from-timing-out/

postitief's avatar

OK, I found the CSRF token still being in the login form. I think this is causing it. I will first disable this, it the error stays away, I know that this was causing it.

Then I need to find a nice solution to show a user a "session expired" message (or something like that) instead of a http 500 error.

postitief's avatar

I'm adding a new reply. I found out that there is still a CSRF token in de inlog form. But when I started this thread, I thought it wasn't, my mistake!

However, I think throwing a 500 error and nothing else on a CSRF token mismatch doesn't veel good. It's pretty ridiculous in my opinion. So if Laraval decides for us to force CSRF, I would thing it also woud do something special with error messages. I mean, people leaving the site for several hours and continuing after some time is not that strange to me.

So my solution is to redirect the user to the form page and show them a error message. This however still triggers a error in the Laravel log file, this is something I need to change to a warning or notice.

In my app\Exceptions\Handler.php

Added at top:

use Illuminate\Session\TokenMismatchException;

And changed the render method.

public function render($request, Exception $e)
    {
        if ($e instanceof ModelNotFoundException) {
            $e = new NotFoundHttpException($e->getMessage(), $e);
        }

        // Catch a TokenMismatchException and redirect nicely!
        if ($e instanceof TokenMismatchException){
            // Redirect back with error message.
            return redirect($request->fullUrl())->with('csrf_error', trans('errors.csrf_token_mismatch'));
        }

        // Custom error 500 view on production
        if (app()->environment() == 'production') {
            return response()->view('errors.500', [], 500);
        }

        return parent::render($request, $e);
    }

Please or to participate in this conversation.