Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello guys,
I am developing a single page application using Extjs 5 Javascript framework using Laravel 5 as an API. The problem is every time I make a POST request I get TokenMismatchException because of the 'VerifyCsrfToken' middleware in Kernel.php. Is there any way to include the csrf token from my javascript app.
Thanks a lot for your usual help.
In your layout
<meta name="csrf-token" content="{{ csrf_token() }}" />
var request = new XMLHttpRequest(),
token = document.querySelector('meta[name="csrf-token"]').content;
request.open('POST', url, true);
request.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
request.setRequestHeader('X-CSRF-TOKEN', token);
request.send(data);
Good article for Ajax and laravel. And this one too.
@binalfew maybe you can use CORS package. There is an example of use.
Hope it helps.
@bestmomo Yes I am using that package from barryvdh and it works. The problem is when I make a POST request to the api that i get a tokenmismatch exception.
Have a separate route that authenticates the user via an api key and in response you give the csrf_token which it will store on the requesting/posting server
@Iss can you explain a bit please; some example if you can?
You have example.com POSTing to api.com and it requires a csrf token
Have a route on api.com, /auth that will either authenticate the user and return csrf_token() or just return the token on a GET request and have example.com add the result as a X-CSRF-TOKEN header when POSTing
Or check this article http://www.techigniter.in/tutorials/disable-csrf-check-on-specific-routes-in-laravel-5/ I think it might be a cleaner way to do it
@Iss I did as you hinted but still no luck: here is the code:
Ext.Ajax.request({
url: 'authentication',
//TO GET THE TOKEN
method: 'GET',
callback: function (options, success, response) {
form.submit({
url: 'authentication',
headers: {
'X-CSRF-TOKEN': response.responseText
}
});
}
});
This soulation is fully working
<input type="hidden" name="_token" value="{{ csrf_token() }}">
<input type="submit" id="save" value="save" class="btn btn-primary form-control"/>
<script>
$(document).ready(function(){
$('#save').click(function() {
token = $('input[name="_token"]').attr('value');
$.ajax({
type: "POST",
url : "{{url('categories/order')}}",
data : {'_token':token},
});
});
});
</script>
when i used meta it is not work add then i used input
<meta name="csrf-token" content="{{ csrf_token() }}" />
@ghvinashvili he's posting from another location to the laravel app
@binalfew does the response.responseText contain an encrypted version of the token?
Try logging in the route you're posting the token you're sending and the token it's trying to compare against (do it in the middleware) see if they match (my guess is they don't since you're still having the issue).
My guess the laravel app you're posting to is registering 2 separate sessions for the get and the post.
Try the second approach and alter the middleware. See how that goes
@Iss The token I get from response.responseText is not encrypted. I have been debugging in the middleware; it fails while comparing the token I submit with the form with the one stored in Session->token(); But the last point you mentioned, is it possible for the laravel app to register two separate sessions for GET and POST? If so, how can I access the one registered for POST.
Thanks a lot!
Please or to participate in this conversation.