Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

dib258's avatar
dib258
OP
10 years ago
Level 11

Token not recognized

Hi,

I get this error :

TokenMismatchException in VerifyCsrfToken.php line 46

When I'm making a update from a controller. This is weird since It's the only one who gives me this error and since I create the form with the Form class wich generate the csr token by default.

I looked in the storage/framework/session and there is no different files created each times a recharge the page. (which was adviced here : http://stackoverflow.com/questions/28875788/laravel-5-auth-post-submit-tokenmismatchexception-in-verifycsrftoken-php-line#comment46032397_28875788 )

{!! Form::model($video, ['route' => ['group.project.video.update', $group, $project, $video], 'method' => 'PATCH', 'enctype' => 'multipart/form-data', 'files' => true]) !!}
    <div class="panel panel-default">
        <div class="panel-heading">Your video</div>
        <div class="panel-body">
                <div class="form-group">
                    <input id="uploadFile" placeholder="No video yet" disabled="disabled" />
                    <div class="fileUpload btn btn-primary">
                        <span>Choose video</span>
                        {!! Form::file('video', ['id' => 'uploadBtn', 'class' => 'upload form-control', 'accept' => 'video/*']) !!}
                    </div>
                </div>
        </div>
        <div class="panel-footer">
            {!! Form::submit('Update your video', ['class' => 'btn btn-primary']) !!}
        </div>
    </div>
{!! Form::close() !!}

Which generate :

<input name="_method" type="hidden" value="PATCH">
<input name="_token" type="hidden" value="45YkmhSmBwo8OXkuk2lZIwzHDHlIT5azfMEihbgN">

What could I do to debug this ? Since it's working everywhere and here It doesn't not even call the update method (login security breach :p) so I don't paste it here

Thanks in advance !

0 likes
6 replies
bestmomo's avatar

@dib258

Looks like you are on 5.0.

Token verification is in this method in Illuminate\Foundation\Http\Middleware\VerifyCsrfToken.php :

/**
 * Determine if the session and input CSRF tokens match.
 *
 * @param  \Illuminate\Http\Request  $request
 * @return bool
 */
protected function tokensMatch($request)
{
    $token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');

    if ( ! $token && $header = $request->header('X-XSRF-TOKEN'))
    {
        $token = $this->encrypter->decrypt($header);
    }

    return StringUtils::equals($request->session()->token(), $token);
}

So you van debug there.

dib258's avatar
dib258
OP
10 years ago
Level 11

@bestmomo, Yes I'm on laravel 5.0.

So I tried to debut a little, Thanks for the right method @bestmomo and this is incoherent...

I have this input generated automatically by the Form class.

<input name="_token" type="hidden" value="kROsAFp2j9O691nGylh0SIE25fclGCBKbWDRlLcd">

In the tokensMatch I added this just over the return method :

dd($request->input('_token').' / '.$request->session()->token().' / '.$token);

That's the result :

" / kROsAFp2j9O691nGylh0SIE25fclGCBKbWDRlLcd / "

So How is it possible that my input _token is empty ?

I checked for the X-CSRF-TOKEN I checked the X-XSRF-TOKEN in dd($request) :

There is no X-CSRF-TOKEN but there is

  "HTTP_COOKIE" => "XSRF-TOKEN=eyJpdiI6Ik9aZ0VXVHBVUlwvVFdsTFhvVmUyRXZRPT0iLCJ2YWx1ZSI6Imo0MlVJV1l0eDJMNEIzYnF0RVprZFwvU0FkcnRPRDZCWmNoc1ZFRURkeGhnSWQwZnNNbW5GVmZCd3dRajk2a09Qdm9zSGt2QzNLV1l5THRSenU5cGVCUT09IiwibWFjIjoiZDVkOWU2ODM2Y2NjYjAyOGVmYjljZTI0MTI4YzFjYjAzYzFmZTBlMTU5OTAyMDA2MGQ4MjZmNzQ5NDViNWZhNyJ9; laravel_session=eyJpdiI6IjJSRnI5ejh1aGVqdklTTXdubzJrXC93PT0iLCJ2YWx1ZSI6IjBmTFJ4a0g2bUg5RHZnUnljVDRQR3dEanhPZkEzM1JGYWxRWmFKRWZWbHZZTkVkdUtwOFFkdXYzZlR3VWllR2VWSGUyREtnbTYzNHc1YXl4SlREaTNBPT0iLCJtYWMiOiI0NDBmMThiZWE2MTE5MjA1OGE3MDgxZmQwYzQ3ZjE5YTUzYzhkMzAyZjk0ZDA3Nzc2YzRlOGEzZWZiMWFlODQyIn0%3D"

I tried to decrypt the value to see what's in it :

$this->encrypter->decrypt($request->header('X-XSRF-TOKEN'))

The result is :

DecryptException in Encrypter.php line 142: Invalid data.

Don't understand how is it possible since everywhere else forms are working...

bobbybouwmann's avatar

What is you do this in your controller?

public function update() 
{
    dd(Request::all());
    
    // Other stuff here
}

It will show you all the posted data by the form, including the _token field

dib258's avatar
dib258
OP
10 years ago
Level 11

@bobbybouwmann , I have putted this dd($request); on top of my update method.

I said it in my first post. It nevers comme to the method.

But I have UpdateVideoRequest $request which is really not the problem I think :

<?php namespace App\Http\Requests;

use App\Http\Requests\Request;

class UpdateVideoRequest extends Request {

    public function authorize()  {
        return true;
    }

    public function rules() {
        return [
            'video' => 'request' // |mimes:wma,mov,mp4
        ];
    }
}
bobbybouwmann's avatar

Shouldn't it be this?

'video' => 'required' // You had request, it should be required of course!

What happens if your remove the UpdateVideoRequest dependency, just to test it out?

dib258's avatar
dib258
OP
10 years ago
Level 11

@bobbybouwmann, Damn it, That's it no more coding at 4a.m. ^^

Changed it to required of course, Removed UpdateVideoRequest but the error is still there.

Man, What's this problem oO The update method is still not called.

Please or to participate in this conversation.