TokenMismatchException in VerifyCsrfToken.php line 53 in Laravel 5.1

Question

When I try to login show me token error. I have checked token in view form it's right and when comment \App\Http\Middleware\VerifyCsrfToken::class, in the Kernel.php it makes me login but after Redirect to my dashboard I'm not logged in. I am using MAMP on mac.

<div>
    <h1>Login</h1>
    <div>
        {!! Form::open(['url'=>'user/login','class' => '']) !!}
        <input type="hidden" name="_token" value="{{ csrf_token() }}">
        <ul>
          <li><label>Customer Code</label>{!!Form::Text('customer_code',Input::old('customer_code'),['class'=>''])!!}</li>
          <li><label>Password</label>{!!Form::Password('password','',['class'=>''])!!}</li>
          <li>{!! Form::submit('Submit',array('class' => 'btn')) !!}</li>
        </ul> 
        {!!Form::close()!!}
    </div>
    <div><a href="{!!URL::to('user/forget_password')!!}">Forget Password</a></div>
</div>

Meanwhile I use Sentry Package for login.

    /**
     * post_login
     */
    public function post_login()
    { 
        try
        {
            $rules  = [ 
                    'customer_code'         => 'required',
                    'password'              => 'required',
                ] ;                    
            $message = [ 
                    'customer_code.required'             => 'erorrr1',
                    'password.required'                =>'error2'    
                             ];                            
            $validator = Validator::make(Input::all(), $rules,$message);
            if ($validator->fails())
            {            
                return Redirect::back()->withErrors($validator)->withInput();        
            } // if ($validator->fails())
            else
            {
            $authUser = Sentry::authenticateAndRemember(array(
                                      'customer_code'    => Input::get('customer_code'),
                                      'password' => Input::get('password')), false);

                           if($authUser) 
                           {
                                //$login = Sentry::loginAndRemember($authUser);
                                 return Redirect::to('user/panel/'.$authUser->id)->with('comment', 'Welcome');
                           }
                           else
                           {
                             return Redirect::back()->with('comment', 'Error for login');
                           }
            }//validator                           
        }
         catch(\Exception $e)
         {
             return Redirect::back()->withInput(Input::except('password','file'))->withErrors(['ERROR!!!!!']);
         }
}

Answer 1

Edited:

Since you are using Form builder remove this from your form. Laravel form builder automatically adds a hidden token field to your form when you do Form::open()

So remove this line:

 <input type="hidden" name="_token" value="{{ csrf_token() }}">

Answer 2

Well I think all missed the CSRF Token creation while logout!

As I have solved out the problem.

Just add below code to the header.

<meta name="csrf-token" content="{{ csrf_token() }}">
<script type=text/javascript>
    $.ajaxSetup({
            headers: {
                'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
            }
    });
 </script>

And if you use {!!Form::open()!!} it will automatically create the token. Otherwise you can use

<input type="hidden" name="_token" id="_token" value="{!! $csrf_token !!}}" />

or

{!! csrf_field() !!}

just immediate form open. Most importantly use return Redirect::to(''); on controller function or a page reload or ajax reload that the token can be created!

Like:

public function logout() {
    Session::flush();
    Auth::logout();

    return Redirect::to('/');
}

For ensure the token properly created or not check "view page source" on browser and it will shows like:

<meta name="csrf-token" content="TbgWTQZhTv0J4eFBQNU4rlM3jOlmBeYlTgf0waZB">
    <script type=text/javascript>
    $.ajaxSetup({
            headers: {
                'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
            }
    });
    </script>


<form method="POST" action="/login-process" accept-charset="UTF-8" class="form-inline"><input name="_token" type="hidden" value="TbgWTQZhTv0J4eFBQNU4rlM3jOlmBeYlTgf0waZB">   

I think it might solve the problem as it worked for me!

Answer 3

With a fresh install of Laravel 5.1, without just a composer update from version 5.0 to 5.1 I see some differences and one in the Middleware folder.

EncryptCookies.php are a new Middleware, check if you have it.

So, I don't have tested again, I tranfert at the moment my files from my version 5.0 to a new installation of version 5.1 but im pretty sure that can be the solution for this problem, EncryptCookies.php was in the stack of the token mismatch error.

Answer 4

Adding {!! csrf_field() !!} solved my problem as shown below:

<form action="#" method="post" class="form-horizontal" role="form">
{!! csrf_field() !!}

</form>

If using Laravel Form helper such as below:

{!! Form::open(array('class' => 'form-horizontal', 'role' => 'form')) !!}

CSRF Code will be added automatically in your html script. Also make sure to view the source code in browser to be certain that a field such as below was indeed added.

<input type="hidden" name="_token" value="dHWBudjTyha9AMr0SuV2ABq5NNK6bTIDZDXRWCBA">

Answer 5

You did not post your sample code in your question.

Therefore check your code with the following options,

try with hidden input field value:

{!! csrf_token() !!} or {{ csrf_token() }}

You can also use form blade template:

{!! Form::open(array('method' => 'GET/POST','url' => 'YOUR_URL',)) !!}

This will automatically add CSRF Code in your html script

One more thing to include in <head> section is:

<meta name="csrf-token" content="{{ csrf_token() }}">

Answer 6

I was also having this problem when trying to upload a file. Turned out the max_post_size was being exceeded, in which case apparently all POST variables are cleared and therefore no token is being received.

Answer 7

Add <?php echo Form::token(); ?> in side the form.

Answer 8

This solution worked for me:

Add {{ csrf_field() }} anywhere in the form.

Answer 9

Remove App\Http\Middleware\VerifyCsrfToken::class from $middleware in Kernel.php.

Answer 10

I used the following code. It is working perfectly.

<?php echo csrf_token(); ?>

Answer 11

I had the same problem. I am using Laravel 5.1.28, php 5.6.13
After seeing the TokenMismatchException in VerifyCsrfToken, I searched the web for answers but none solved my problem.

The page did send the token. The token values is also seen in the session file in the directory storage/framework/sessions (I disabled encryption to see it).

Exhausted, I re-install laravel and use simple form for testing - it worked without token mismatch error.

Moving my code to the newly installed laravel piece by piece, I finally found that the problem was caused by doctrine/dbal (I still do not know why).

Removed it from composer.json and the problem disappeared.
In the composer.json, token mismatch error was seen with the following line:

"require": {
    ....
    "doctrine/dbal": "^2.5"
    ...
},

Your case may be different, but you may want to see if you change anything in composer.json that may be causing the problem.

Answer 12

I have same problem while using this code

<input type="hidden" name="_token" value="{!! csrf_token() !!}">

<input type="hidden" name="_token" value="{{ csrf_token() }}">

by changing it to {!! csrf_field() !!} solve my problem

i'm on L5.1

Answer 13

It works for me.

<meta name="csrf-token" content="{{ csrf_token() }}" />

<script>
function getMessage(){ 
$.ajax({
   headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')},
   type:'POST',
   url:'/getmsg',
   // data:'_token = <?php echo csrf_token() ?>',
   success:function(data){
      $("#msg").html(data.msg);
   }
 });
}
</script>

{{ Form::button('Replace Message',['onClick'=>'getMessage()']) }}