Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

baqirfarooq's avatar

VerifyCsrfToken

Working perfect in homestead issue in server

Whoops, looks like something went wrong.

1/1 TokenMismatchException in VerifyCsrfToken.php line 68:

0 likes
7 replies
Snapey's avatar

Check that you have the correct storage permissions so that the server can create sessions?

mrockett's avatar

I have the same issue. The session is being created, and the cookies are being set. The hidden field is in the form, and POSTs work until I close and re-open the browser. When I've done that, the error persists until I clear the app storage (cookies, local storage, everything).

Running 5.4 on PHP 7.0 with HTTPS and secure cookies enabled. The cookie domain is set as well, and sessions are stored to file. The application is not running a database, and so I don't want to use database session storage. That said, I highly doubt it would make a difference as the sessions are being created in framework/sessions. Lastly, the app does not use any authentication mechanism - it's simply a booking form for a fundraising event.

I've tried everything at this point, and not sure how to proceed.

Kindly advise.

Snapey's avatar

@mrockett You cannot close the browser, reopen it and carry on with the same session? Any csrf token will be lost with the previous session so I'm not sure if this is what you are doing but when you reload the browser you must re-request the form?

mrockett's avatar

@Snapey Surely if the a new session is created, the cookie should match? There mere fact that the token is not valid after a second session means that something is not being updated. Form saving happens client side, and so I'm not using the session for anything special, except CSRF protection, which should be working out of the box.

Snapey's avatar

@mrockett what constitutes a 'second' session.

if you open browser, and visit the page you should get a new session and a new csrf token so all should be ok.

There is a config for sessions that can tell the browser to drop the session token when the browser is closed or conversely to keep the session token.

If the session token is kept by the browser then the time delay between first visit and second visit becomes relevant because the server will also timeout the session.

You should be able to see in your browser if, on the second visit, the server gives the client a new csrf token and if that new token is returned with the form data

Please or to participate in this conversation.