12

I just created a new project of laravel version 5.5 with the laravel installer.And run the command "php artisan make:auth".The views and controller are generated for the user authentication.And also run "php artisan migrate" to create tables needed in the database.When visiting the login page and register page,filling the form and submit.It shows "The page has expired due to inactivity. Please refresh and try again.".But refreshing the page does nothing help. Seen in the source code,where causes the exception:

if ($e instanceof ModelNotFoundException) {
        $e = new NotFoundHttpException($e->getMessage(), $e);
    } elseif ($e instanceof AuthorizationException) {
        $e = new AccessDeniedHttpException($e->getMessage());
    } elseif ($e instanceof TokenMismatchException) {
        $e = new HttpException(419, $e->getMessage());
    }

It seems "TokenMismatchException" causing this problem. When did this happen?And why?I just create this new project and did not do any other changes. Hope you got the points. I use php 7.1.9(laravel 5.5 requires php > 7.0.0).And serve the project in develop environment with:php artisan serve

brian.shen
  • 123
  • 1
  • 1
  • 4
  • On every page refresh does it create new session file in storage/log folder ? And try SESSION_DOMAIN=localhost in env file – Dhaval Sep 01 '17 at 06:18
  • 1
    Please refer to this: https://stackoverflow.com/questions/45575735/laravel-spark-csrf-failure-on-login-page – Saurabh Sep 01 '17 at 06:19
  • @Dhaval Yes,a new session file created in 'storage/framsework/sessions'. I'v add SESSION_DOMAIN=localhost in the .env file.It still not work – brian.shen Sep 01 '17 at 06:27
  • @brian.shen every time you refresh page it's create new session file ? – Dhaval Sep 01 '17 at 06:30
  • @Saurabh This is a different situation.Every page refresh,laravel generate a new session.Which causes the csrf token mismatch – brian.shen Sep 01 '17 at 06:33
  • I'm having the same issue after upgrading an app from 5.4 to 5.5. And I don't like ad-hoc solutions like "clear your cookies". What if this affects my 10k+ users as well? I don't intend to tell them "clear your cookies". – karni Sep 01 '17 at 14:14
  • Having the same issue on my default login process and keep seeing the CSRF solution, which I clearly have. My sessions folder is empty and when I try to login no new session file is created. – Dylan Glockler Sep 29 '17 at 16:22
  • I noticed my storage/framework/sessions folder had limited permissions and no file was writing there so I opened them up temp to 777 and now it's writing the session files but i'm still having the same issue. This is only on production. It worked yesterday and works on dev. – Dylan Glockler Sep 29 '17 at 16:50
  • Quite sure it has something to do with permissions on the sessions directory. I cloned my application on cloudways and it worked immediately. Permissions seem to get jacked up fairly frequently. I did try chmod on them and did see the session files being created after that, but it still wasn't working. Only my clone saved me and got me working again. – Dylan Glockler Sep 29 '17 at 18:24

17 Answers17

31

i think you missed csrf token.

dont forget to use {!! csrf_field() !!}

Kokil
  • 560
  • 1
  • 5
  • 16
12

I had the same problem on localhost:8000 (php artisan serve). Maybe it's coincidence, but try on "clean browser" , other than you used with previous development. For me it worked.

It seems that the problem is with cookies from development with previous Laravel versions, on the same url.

studiojasper_pl
  • 144
  • 6
12

In my case, I've got the same error message and then figured that I missed to add csrf_token

{{ csrf_field() }}

Or without form helper that will be,

<input type="hidden" name="_token" value="{{ csrf_token() }}">

If that doesn't work, then-

Refresh the browser cache and hopefully it will work, thanks.

Maniruzzaman Akash
  • 4,610
  • 1
  • 37
  • 34
9

I had the same issue and it was because I was using virtualhost and I setup below variable to mydomain.com. in config/session.php file

'domain' => env('SESSION_DOMAIN', 'mydomain.com'),

When I changed it to null then it started working

'domain' => env('SESSION_DOMAIN', 'null'),

I don't know what is the reason behind it but it is working fine now.

Afraz Ahmad
  • 5,193
  • 28
  • 38
1

Add csrf token 

       <input type="hidden" name="_token" value="{{ csrf_token() }}">
shalini
  • 1,291
  • 11
  • 13
1

It appears to be permission settings on either storage and/or bootstrap/cache.

I'm using a Cloudways server. I reset permissions on my server under Application Settings and it now works. On my local development server the equivalent was to set chmod 777 on storage.. I had used 755 previously and the error persisted.

Dylan Glockler
  • 1,115
  • 1
  • 20
  • 40
1

try this one in your global handler app/Exceptions/Handler.php

public function render($request, Exception $e)
{
    if ($e instanceof \Illuminate\Session\TokenMismatchException) {

        return redirect('/login');

    }

    return parent::render($request, $e);
}
Berkat
  • 11
  • 1
0

I had this same issue. vagrant reload --provision worked for me

Buddy
  • 10,874
  • 5
  • 41
  • 58
mark edosa
  • 54
  • 4
  • I tied all provided solutions on other posts, nothing work. other browser like FF and chrome is working fine, but issue with IE. I notice that each time I refresh the login page or register page I got new session file. even I tried vagrant provision command but no luck. Many thanks. – Ahmad.Net Dec 18 '17 at 14:41
  • I don't know if you're still having this problem, @Ahmad.Net, but I found the solution that worked for me: https://stackoverflow.com/a/39332972/2379279 Turns out that the clock on my Homestead server was out of sync. – Sturm Jan 11 '18 at 18:20
0

I would also keep csrf_token in a meta tag. 

<meta name="csrf-token" content="{{ csrf_token() }}">
Raza Mehdi
  • 923
  • 5
  • 7
0

I was only testing post requests for my api and came across the same issue. I resolved it by adding my route to the Middleware VerifyCsrfToken's $except array i.e. go to app/Http/Middleware/VerifyCsrfToken and add

protected $except = [
        'your/route'
];

But if your requests are from some front-end platform or views, it's advisable to add {{ csrf_field() }} in the form that sends the request.

Allan Mwesigwa
  • 1,210
  • 14
  • 13
0

Hi for the group paths that you want to apply to everyone, use this method, which is my 5.5 larval version. Use the star => go to app/Http/Middleware/VerifyCsrfToken and add

protected $except = [
    '/user/*'
];

This is also my user's path

Route::group(['prefix' => 'user', 'namespace' => 'User', 'as' => 'user.'] , function (){
Ali Najafi
  • 11
  • 4
0

This issue is mainly caused because you don't have the csrf token in your form. During csrf token verification it fails, that's why you are getting this page. Laravel generally needs csrf token in all its forms. You can add a csrf token simply by adding this inside the form.

 {{ csrf_field() }}

Another method of doing this is you can exclude your route in the verifycsrftoken middleware.

Just add a protected field in the middleware with your route name.

protected $except=[
                    '1st route',
                    '2nd route',
                    .
                    .
                  ];

This should work.

Darshan
  • 345
  • 6
  • 24
0

Add this code in your

app\Exceptions\Handler.php file

if ($exception instanceof \Illuminate\Session\TokenMismatchException) {
    // Perform operation on page expired
}
Rizwan Saleem
  • 904
  • 11
  • 28
0

Sorry for Answering later I had same problem after searching on the internet found two solutions

1-Add

@csrf

or

 <input type="hidden" name="_token" value="{{ csrf_token() }}">

inside your form if missing

2:if you opened you login page for long time and didn't logged in. just refresh the browser or press ctrl+F5

Mohammad Edris Raufi
  • 1,393
  • 1
  • 13
  • 34
-1

Make sure your User.php model exist in app folder and fields must be define in this model.

<?php

namespace App;

use Illuminate\Notifications\Notifiable;
use Illuminate\Foundation\Auth\User as Authenticatable;

class User extends Authenticatable
{
    use Notifiable;

    /**
     * The attributes that are mass assignable.
     *
     * @var array
     */
    protected $fillable = [
        'name', 'email', 'password',
    ];

    /**
     * The attributes that should be hidden for arrays.
     *
     * @var array
     */
    protected $hidden = [
        'password', 'remember_token',
    ];
}
Catalyst
  • 1,018
  • 2
  • 12
  • 19
Inderjeet Klsi
  • 104
  • 3
  • 1
    Yeah.It's there by defaut.I did not change – brian.shen Sep 01 '17 at 06:29
  • 1
    Unfortunately none of the answers given have solved my issue. CSRF token exists, browser session is new, User model is there, still nothing works. When I compare the Session ID with the _token values they are not the same? – DevelumPHP Sep 15 '17 at 06:16
-1

if you created a new project localhost You need view config/session line : 166 if 'secure' => true , you need edit 'secure' => false, When you up the host or server, re-config => true sorry i know a little english , hope can help you

Scott
  • 1
-1

Had this issue as well! Solved it by:

  1. Clearing browser session storage and cookies.
  2. Running php artisan cache:clear
  3. Ensuring the storage/framework/sessions folder was empty, except for the .gitignore.
  4. Restarting dev environment.
Doug Black
  • 59
  • 4