@screenager, thanks man!

Spent few hours looking for the solution.

I was messing with .env and accidently set SESSION_SECURE_COOKIE = {my domain name} what equals TRUE

Because of it no cookies were set as described in config/session.php

Just found another possibilities to fix the issue. In .env file, make sure the APP_URL and SESSION_DOMAIN is same. example: APP_URL=http://domain.com/ and SESSION_DOMAIN=domain.com

Also, in your browser dev tools, make sure there is no double attribute for the "laravel_session" and "XSRF-TOKEN" >> http://prntscr.com/fdbix8

I have double attribute because I have "www" on my domain: "www.domain.com"

Oh god thanks guys! I set: SESSION_SECURE_COOKIE=true

and while this would work when deployed with SSL, it clearly didn't work locally without https on the site! Arrrgh :)

@arhakim I'm interested in what you wrote (I also want www. :) ), but I'm not sure why that's related. APP_URL=domain.com and SESSION_DOMAIN=www.domain.com should work, no?

APP_URL is used in many places (even in e-mail text IIRC), but SESSION_DOMAIN is what tells "under what domain should I make the session cookie available?".

In other words, while these two are not related, it IS in fact important to set correct session domain, because if you set it to "www.domain.com" then note the cookie won't be available under domain.com - this is why a server redirect to www. is, in this case, recommended. Hope this helps!

I recently ran into this same issue. For me the problem was that the \Illuminate\Session\Middleware\StartSession::class middleware was being applied to my route twice. Let me explain. I configured my StartSession middleware as part of a middlewareGroup called web as you can see below in the app\Http\Kernel.php file

/**
     * The application's route middleware groups.
     *
     * @var array
     */
    protected $middlewareGroups = [
        'web' => [
            \App\Http\Middleware\EncryptCookies::class,
            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
            \Illuminate\Session\Middleware\StartSession::class,
            // \Illuminate\Session\Middleware\AuthenticateSession::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
            \App\Http\Middleware\VerifyCsrfToken::class,
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],

        'api' => [
            'throttle:60,1',
            'bindings',
        ],
    ];

Then in my app\Providers\RouteServiceProvider I applied the web middleware group to my routes, as you can see below.

/**
     * Define the "web" routes for the application.
     *
     * These routes all receive session state, CSRF protection, etc.
     *
     * @return void
     */
    protected function mapWebRoutes()
    {
        Route::middleware('web')
             ->namespace($this->namespace)
             ->group(base_path('routes/web.php'));
    }

Then in my Controller I also applied the web middleware group like so.

class FacilityController extends Controller
{
    /**
     *
     * @var FacilityService
     */
    private $facilityService;

    public function __construct(FacilityService $facilityService)
    {
        $this->facilityService = $facilityService;
        $this->middleware('web');
    }
...
...

Now that was my mistake because now on initial page load a session token is generated, and then when I submit my form a second one is also generated, hence the Token Mismatch error. The fix was to remove the web middleware from the Controller. I hope this helps someone else.