2

This is driving me crazy. I'm getting token mismatches on each POST whether from a Laravel form or from AJAX. I added some code to the filter to show me the session vs. _token:

Route::filter('csrf', function()
{
if ($_SERVER['REQUEST_METHOD'] !== 'GET') {

    $token = Input::has('_token') ? Input::get('_token') : '';
    $sessionToken = Session::token();

    if ($sessionToken != $token)
    {
        $message = 'Token mismatch';

        // This one is for debug purposes only
        return Response::json(['flash' => "$message; session: $sessionToken ; yours : $token"], 401);

        return Response::json(['flash' => $message], 401);
    }
  }
  });

Here's the login form:

        {{ Form::open(array('route' => 'sessions.store')) }}

        <div class="form-group">
            {{ Form::label('email', 'Email Address') }}
            {{ Form::text('email', '', array('placeholder' => '[email protected]', 'class' => 'form-control')) }}
        </div>

        <div class="form-group">
            {{ Form::label('password', 'Password') }}
            {{ Form::password('password', array('placeholder' => 'Enter your password', 'class'=>'form-control')) }}
        </div>

        <div class="form-group">
            {{ Form::submit('Sign in', array('class' => 'btn login'))}}

            <a href="{{{ URL::to('session/registration') }}}" class="btn signup">Create an Account</a>
        </div>

    {{ Form::close() }}

For example when logging in, here is the token mismatch flash I get:

{"flash":"Token mismatch; session: uN3sd8PNWUfgTuqc1RZrRfXgpGpHOEKkCtoo3XVX ; yours : Ybmn6u80rLpxIcGdahd7KT2eR6WmcaPN28arZ9kg"}

It's happening when I have app/config/session.php set to 'apc'. All is fine when it's set to 'native' or 'cookie'. I have cache set to 'apc', which is our caching engine on our server.

Ideas?

Improve this question
2
  • Hi. Did you ever find a solution for this? This only happen when I try to access the website in other computers. Commented Jan 25, 2014 at 6:33
  • Strange thing happen with me, I just clear the chrome cache and it works now. Commented Mar 17, 2016 at 6:28

4 Answers 4

Reset to default
2

You are not submitting _token with your POST request.

Add 

  <input type="hidden" name="_token" value="<?php echo csrf_token(); ?>"

before {{Form::close()}}

http://laravel.com/docs/security#protecting-routes

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

It actually gets added automatically with Laravel 4 and is present in the DOM.
This actually solved my problem. I didn't event think to include the form token in my ajax request.
0

I had that problem too, I don't know the actual way to fix this. I think this is a bug, but I needed my application to function. So here's the original app/filter.php file:

Route::filter('csrf', function() {
    if (Session::token() != Input::get('_token'))
        throw new Illuminate\Session\TokenMismatchException;
    }
});

I modified it to use the csrf_token() function and it worked for me,

Route::filter('csrf', function() {
    if (csrf_token() != Input::get('_token')) {
        throw new Illuminate\Session\TokenMismatchException;
    }
});

This is just a quick fix to get my application up and working before someone figures out a solution.

Improve this answer

1 Comment

That doesn't make sense, because csrf_token() just returns Session::token()
0

Are your sessions being saved to the DB? In my case they weren't. AndreasLutro from the #laravel IRC suggested to check this issue out! https://github.com/laravel/framework/issues/4441

Improve this answer

Comments

0

I ran into this issue on my local computer. I have Laravel running on a web server and the csrf token is working great, but not on my local computer.

I have cache set to file on my local computer.

I found out that sessions were not getting saved. I fixed this by changing the permissions for the "storage/sessions" folder on my local machine (not the server!) to 777.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.