Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Neferson's avatar

Error in Laravel 5.4 "TokenMismatchException in VerifyCsrfToken.php" I'm using {!! csrf_field() !!}

I'm with a big error, In local all ok, but in web server(production) it's error "TokenMismatchException in VerifyCsrfToken.php". My CODE:

FORM


<form role="form" method="post" action="{{ route('front.login') }}" class="login-form">
    {!! csrf_field() !!}
    <div class="form-group @if ($errors->has('email')) has-error @endif">
        <label class="sr-only" for="form-username">Email</label>
        <input type="email" name="email" placeholder="Email..." class="form-username form-control @if($errors->has('email')) input-error  @endif" id="form-username" value="{{ old('email') }}">
    @if ($errors->has('email')) <p class="help-block"> {{ $errors->first('email') }} </p></div> @endif
    </div>
    <div class="form-group @if ($errors->has('password')) has-error @endif">
        <label class="sr-only" for="form-password">Senha</label>
        <input type="password" name="password" placeholder="Senha..." class="form-password form-control @if($errors->has('password')) input-error  @endif" id="form-password" value="{{ old('password') }}">
        @if ($errors->has('password')) <p class="help-block"> {{ $errors->first('password') }} </p> @endif
        </div>
        <div class="form-group text-center">
            <button type="submit" class="btn btn-dark-blue text-center">Entrar no Sistema</button>
        </div>
</form>

CONTROLLER

$this->validate($request,[
    'email' => 'required',
    'password' => 'required'
]);

$data = [
    'email' => $request->input("email"),
    'password' => $request->input("password")
];

if(Auth::attempt($data)){
    return redirect()->route('front.home');
}
0 likes
5 replies
Dry7's avatar

set chmod 770 to /storage/framework/sessions

Neferson's avatar

I tried this, but It's with the same error.

wickley's avatar

Typically it should be {{ csrf_field() }}, though {!! csrf_field() !!} technically should work.

I'd try changing it to {{ csrf_field() }} as the docs show and testing that on production just to rule it out.

Neferson's avatar

I tried this too, but problem remains :(

wickley's avatar

Here are some things to try and such:

Test chmod 777 on /storage/framework/sessions and see what happens then. Also check ownership of that folder to make sure the owner and group permissions are compatible with writing to the web folders.

Try deleting all files in "storage/framework/cache" and "storage/framework/sessions" if first step fails and test again.

Check Session Cookie Path in config/session.php to see if it's set to something strange and not the default. Also check the secure cookies setting in that file.

Is production server using .env file to load some of the config? Check config SESSION_DOMAIN setting in .env if using or config files if not.

What's the production version of PHP vs the local version being used for development? Development server type vs production server type?

If you are desperate and not that concerned with csrf on this form, you can disable that route in app/Http/Middleware/VerifyCsrfToken by adding the url to the $except array in that file and the token check will not happen for that route.

Please or to participate in this conversation.