Level 75
Are they api routes, if so no session used. Otherwise check your storage permissions.
Feb 18, 2021
16
Level 2
Frustrating 419 | Page Expired on Login using Jetstream
I have a laravel 8 application that I'm using Nova on. I've also implemented Jetstream login so that I can use it's tokens and auth system for an external application.
I've setup nova's auth driver in nova.php config to use Jetstream as it's auth driver.
If I run the application locally on localhost all works really well.
Once I deploy the application to production I always get 419 | Page Expired when trying to login using the same browser. I've tried clearing my cache, private browsing. The only time I can login without getting the error is if I use a completely different browser such as FF or Edge on windows. I use Chrome 99% of the time.
I'm really at a loss for why this is happening and have run out of ideas on why I continue to get this 419 | Expired message. To be clear, I see the login form, fill it out and click submit. Then I receive the 419 message.
Level 122
Have you incorrectly set the session cookie domain in config/session.php ?
Level 1
seams this is csrf error.please check your session drivers and set them correctly. if problem only with chrome then try to clear cache only and see.
And you haven't told is that api route or web route?
Level 54
419 is related tokenMismatchException, did you put the @csrf token in the form and able to render in the form (_token hidden input field)??
perhaps paste the code here will help at least it avoid to many guess works
Level 2
I'm using the built in Jestream form so I'm assuming they have the @csrf token as part of the form.
Level 2
I took a look at the Jetstream form that is used for user login and it does have a @csrf
<form method="POST" action="{{ route('login') }}">
@csrf
<div>
<x-jet-label for="email" value="{{ __('Email') }}" />
<x-jet-input id="email" class="block mt-1 w-full" type="email" name="email" :value="old('email')" required autofocus />
</div>
<div class="mt-4">
<x-jet-label for="password" value="{{ __('Password') }}" />
<x-jet-input id="password" class="block mt-1 w-full" type="password" name="password" required autocomplete="current-password" />
</div>
<div class="block mt-4">
<label for="remember_me" class="flex items-center">
<input id="remember_me" type="checkbox" class="form-checkbox" name="remember">
<span class="ml-2 text-sm text-gray-600">{{ __('Remember me') }}</span>
</label>
</div>
<div class="flex items-center justify-end mt-4">
@if (Route::has('password.request'))
<a class="underline text-sm text-gray-600 hover:text-gray-900" href="{{ route('password.request') }}">
{{ __('Forgot your password?') }}
</a>
@endif
<x-jet-button class="ml-4">
{{ __('Login') }}
</x-jet-button>
</div>
</form>
Level 122
if it works locally then of course its NOT related to missing csrf
Did you see my question about the cookie domain?
Also, Check in your in your browser to see if you are being sent cookies.
Level 2
I am setting the session domain in the .env. Locally it is set to 127.0.0.1 and in production I have it set to a subdomain 'example.mydomain.com'
my session config is is using db rather than cookie.
Level 122
your session cookie domain should be left as null unless you have a good reason to change it.
Even when using database for session storage, you still rely on cookies sent by the client browser to align them to the session.
Level 2
Here are my local cookies https://drive.google.com/file/d/1jMGynVyYkrCRcGjhqW1g6zkFCnqQaMTV/view?usp=sharing
Here are my staging cookies https://drive.google.com/file/d/1jLAbFvnFYfljTUYy9lj13F6LJbiYNP-5/view?usp=sharing
Here is my production https://drive.google.com/file/d/1jJJHRgXqnfoilfX6C1jQx2EPAxMxTQnB/view?usp=sharing
Level 122
does the domain on the production cookies match your url?
Level 5
I've ran into this on production with an https domain, and the request being send to http causing a 419. Explicitly typing https solved this for me.
Level 2
Ok, interesting. I'll give this try and see if that's the issue.
Level 2
Maybe a stupid question. How do I ensure that the login route uses https? I noticed a setting in the in session.php you can set 'http_only' => false,. Is there any other application level settings that can be set based on environment to force the use of https:// no matter what. I would like to make sure that locally the app does not have to use https unless there is an easy solution for running local host on https as well.
keep in mind I switch between windows and macos locally quite a lot.
Level 2
THANK YOU !!! THIS WORKED.
In AppServiceProvider boot method I put the following.
public function boot()
{
if($this->app->environment('production') || $this->app->environment('staging'))
{
\URL::forceScheme('https');
}
}
5 likes
Level 5
Aha, interesting. I was making it explicit in .htaccess
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
Please or to participate in this conversation.