Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Good Afternoon,
I'm currently trying to deploy a Laravel 5.6 app on Hetzner Level 9 shared hosting. (unfortunately i was constrained by the client to used shared hosting).
I've already managed to upload the project with all the latest vendor dependencies installed, and the application in general seems to work fine
This is the case until I attempt to Sign In (I have the sign in right on my home page, and registration is closed for outsiders (platform administrators create the accounts as they need)).
Uppon further inspection I've spotted that the problem comes from VerifyCSRFToken when the _token received in the request is compared with the token present in the session. (function "tokensMatch").
Has anyone got any idea to why these tokens are different?
The function where it all stops:
/**
* Determine if the session and input CSRF tokens match.
*
* @param \Illuminate\Http\Request $request
* @return bool
*/
protected function tokensMatch($request)
{
$token = $this->getTokenFromRequest($request);
return is_string($request->session()->token()) &&
is_string($token) &&
hash_equals($request->session()->token(), $token);
// $request->session()->token is different from $token
}
/**
* Get the CSRF token from the request.
*
* @param \Illuminate\Http\Request $request
* @return string
*/
protected function getTokenFromRequest($request)
{
$token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
$token = $this->encrypter->decrypt($header);
}
return $token;
}
You will need to include the CSRF token as part of the sign-in process. If the sign-in page is part of the Laravel app, just add
Within your <form> tags and it will supply that for you.
Alternatively, you can look into disabling CSRF for that page specifically, however due to the protection it provides your users, I would not recommend that.
@NEXXAI - Thanks for the reply.
I am already including the {{csrf_field()}} inside the form. And the getTokenFromRequest method seems to be able to retrieve it. The only problem appears to be the mismatch between what's in the session files and what comes from the front-end.
I should mention that the app works fine in localhost, and also in another DigitalOcean staging server that I have configure for demos and tests. No changes have been made to this page for months, only now when deploying to this new server has this problem surfaced.
@RODRIGOSALVES - Have you cleard all "all" cache.
If you view the source of the page, what is being returned as the <input type="hidden" name="_token" ... field? If you refresh the page, is the token value changing?
@JLRDW - I've tried: deleting session files and php artisan cache clear but without any luck
@NEXXAI - I can confirm that _token is changing each time I reload the page
First of all just to be sure try to change browser and try again.
Try to check storage/framework/sessions/ permission and ownership
@XUMA - Storage/Framework/sessions already have rwx (777) permissions set recursively
I think the problem is similar to the one on this thread, because I also noticed that on my localhost and in the digital ocean staging server there are some session cookies being set.
https://laracasts.com/discuss/channels/laravel/laravel-54-is-not-creating-csrf-cookie-on-my-hosting
I have found the problem.
Turns out I had a space before the <?php in the config/broadcasting.php and web/routes.php files.
This in turn was blocking the setting of sessions cookies, and consequently creating a new session for each request. And with a new sessions per request of course that the _token in the form is gonna be different from the token in the new session.
In order to solve this I read:
https://laracasts.com/discuss/channels/laravel/laravel-54-is-not-creating-csrf-cookie-on-my-hosting
https://laravel.io/forum/07-15-2015-new-session-is-created-on-each-request
Thanks for every reply and stay safe. Keep the blank lines away!
Please or to participate in this conversation.