Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello,
When testing my Laravel app locally, I can see the XSRF token being set, and all of the forms work as intended. But, when I deploy to Laravel Vapor, I am getting a 419 on all of the forms. Vapor support mentioned that they could not see the XSRF cookie being set in any of the responses - which I have confirmed.
I've brought over a few of the VerifyCsrfToken core middleware functions into my own code so that I could debug it. I've narrowed it down to being a token mismatch error ($this->tokensMatch($request)), but I am unable to find the reason why.
I've tried the following:
SESSION_DOMAIN env variable to the vanity URL used by Vapor. .vapor-farm-a1.com
SESSION_SECURE_COOKIE to both true and false to make sure there were no problems being caused there.redis, database, and file for the SESSION_DRIVER.@csrf and {{ csrf_field() }} in my form. (Yes, I know they should be the same. But had to try.)Any help is greatly appreciated.
@chunterb, were you ever able to solve this? I've encountered the same issue in a vapor production environment and have tried all the same things you tried with no luck. For my case AJAX requests by the app work just fine when they have the X-CSRF-TOKEN header set, but I can't get plain HTML forms to POST w/a CSRF token to work. It always get the "419 page expired" response.
Please or to participate in this conversation.