Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

jaycito's avatar

[L5.2] Disable CSRF, keep Session

I'm testing an app that has to redirect outside Laravel at the end of the controller action and I'm having trouble following the redirect. I assume the problem comes from the web middleware which adds the CSRF cookies so I end up with "headers already sent" error, even though interacting manually with the page works fine. Disabling middleware for the test with use WithoutMiddleware; complains about the Session store not being set.

Here's the test code

use WithoutMiddleware;

public function testSuccessfulSignup(){
        
       $input = array(
            'mail'=>'test@mail.com',
            'first_name'=>'Philip',
            'last_name'=>'J Fry',
        );

        Input::replace($input);
        $response = $this->call('POST', 'trials', $input);
       assert($response->assertResponseStatus(302)) ;
       assert($response->assertRedirectedTo('https://store.domain.com'));
    }

The page returns a 500 with this exception Session store not set on request.

0 likes
6 replies
jlrdw's avatar

In my opinion you would be better off using version 5.1 until that middleware web stuff is completely fixed including in the documentation I see more users is having confusion over that stuff. Plus there has been a lot of session problems it seems like. To me 5.1 was very easy to install and the documentation was very easy to understand. Just my two cents here. There Was An Old Post on the io forum showing how to disable the csrf but I don't know if it will apply to 5.2 or not and you would have to go back and search the Io forum.

leomarquine's avatar

You can specify which URIs should be excluded from CSRF verification in the App\Http\Middleware\VerifyCsrfToken class:

<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        //
    ];
}
1 like
jaycito's avatar

@leomarquine I don't want to disable it in the app, just for the test

@jlrdw well too late for that, I'm using some 5.2 specific features in the app already :-/

ifpingram's avatar

@jaycito as per @jlrdw, I am not sure if this will work in 5.2 as I have not tried it myself, but have a look at my answer in this thread to see how to swap out the VerifyCsrfToken middleware with a dummy middleware that always returns true. This should then get around the issue for you.

Connor-S-Parks's avatar

@jayacito you can always just re-bind the middleware in the container (Illuminate/Pipeline/Pipeline actually uses $container->make so it is resolved rather than just newed up). This means a simple container binding to an empty middleware will get around this for you.

EDIT: sorry, didn't notice @ifpingram has literally just said this

Please or to participate in this conversation.