Level 11
First, don't encrypt the csrf_token(). Pass it exactly the way it is generated.
Next, I can see in your script you are setting the X-XSRF-TOKEN header. Have you tried using the X-CSRF-TOKEN header instead?
1 like
Jun 6, 2019
4
Level 3
tokenmismatchexception with script
I have read many threads and tested all that I could but am now at the end of my rope. Tried resetting cookies, clearing cache, setting CSRF on the views, looked at the configs and just cannot figure out why I am getting a mismatch when running the script below. I thought that maybe it had to do with the session storage path since I am using Spark but that seems to be correct (app\storage\framework\sessions). Just lost!
@section('script')
<script>
$(function() {
$('#mr-test-connection').on('click' , function () {
var connection_btn = $(this);
connection_btn.children('span').removeClass('hide');
connection_btn.children('span').addClass('fa-spin');
connection_btn.attr('disabled' , 'disabled');
var van = $('#pos_wan_address');
ip = van.val();
db_name = $('#db_name').val();
pos_mysql_un = $('#pos_mysql_un').val();
pos_mysql_pw = $('#pos_mysql_pw').val();
data = {'pos_wan_address' : ip , 'pos_mysql_un': pos_mysql_un , 'pos_mysql_pw':pos_mysql_pw , 'db_name':db_name};
$.ajax({
url: "{!! route('admin.merchants.test-connection') !!}",
data: data,
headers: { 'X-XSRF-TOKEN' : '{{\Illuminate\Support\Facades\Crypt::encrypt(csrf_token())}}' },
error: function() {
},
success: function(data) {
connection_btn.children('span').addClass('hide');
if (data.alert_type)
toastr["success"](data.message);
else
toastr["error"](data.message);
connection_btn.removeAttr('disabled');
},
type: 'POST'
});
});
$('#reset-pass').on('click' , function (e) {
var reset_email_btn = $(this);
reset_email_btn.children('span').removeClass('hide');
reset_email_btn.children('span').addClass('fa-spin');
merchant_email = "{{$merchant->email}}";
var action = $(this).attr('data-url');
$.ajax({
url: action,
data: {'email': merchant_email},
success: function(data) {
reset_email_btn.children('span').addClass('hide');
reset_email_btn.children('span').removeClass('fa-spin');
if (data.alert_type == 'success')
toastr.success(data.message , 'Message');
else
toastr.error(data.message , 'Message');
},
type: 'get'
});
})
});
</script>
@endsection()
Level 122
Something odd because you are using type: 'get' GET requests don't use csrf
Examine the network traffic in your browser. Check the method being used and the request payload
1 like
Level 3
Let's just say I am still learning... :)
This was the fix
headers: { 'X-CSRF-TOKEN' : '{{ csrf_token() }}' },
The controller has a post so will fix the one type. Thanks guys!
Level 11
@THINKINGMAN - You are welcome.
1 like
Please or to participate in this conversation.