I'm new with Laravel and I have a problem which I don't understand. I have а log form in my project and my method is POST. When I try a request the result is:
'The page has expired due to inactivity. Please refresh and try again.'
But if I change the method to GET, It works fine.
Can someone tell me why is that and how to fix it? because of course I need POST method.
This problem comes from the CSRF token verification which fails. So either you're not posting one or you're posting an incorrect one.
The reason it works for GET is that for a GET route in Laravel, there is no CSRF token posted.
You can either post a CSRF token in your form by calling:
{{ csrf_field() }}
Or exclude your route (NOT RECOMMENDED DUE TO SECURITY) in app/Http/Middleware/VerifyCsrfToken.php:
protected $except = [
'your/route'
];
In my case, I've got the same error message and then figured out that I've missed to add csrf_token for the form field. Then add the csrf_token.
Using form helper that will be,
{{ csrf_field() }}
Or without form helper that will be,
<input type="hidden" name="_token" value="{{ csrf_token() }}">
If that doesn't work, then-
Refresh the browser cache
and now it might work, thanks.
Update For Laravel 5.6
Laravel integrates new @csrf instead of {{ csrf_field() }}. That looks more nice now.
<form action="">
@csrf
...
</form>
Anytime you define an HTML form in your application, you should include a hidden CSRF token field in the form so that the CSRF protection middleware can validate the request. You may use the csrf_field helper to generate the token field:
<form method="POST" action="/profile">
{{ csrf_field() }}
...
</form>
It doesn't work, then Refresh the browser cache and now it might work,
For more details open link :- CSRF Protection in Laravel 5.5
UPDATE:
With Laravel 5.6 using Blades templates, it's pretty easy.
<form method="POST" action="/profile">
@csrf
...
</form>
For more details open link :- CSRF Protection in Laravel 5.6
Verify that your config/session.php file contains this line
'domain' => env('SESSION_DOMAIN', null),
Then remove the SESSION_DOMAIN line in your .env file
In my case , I added ob_start(); at the top of my index.php on server and everything seems to be working fine.
Excluding URIs From CSRF Protection:
Sometimes you may wish to exclude a set of URIs from CSRF protection. For example, if you are using Stripe to process payments and are utilizing their webhook system, you will need to exclude your Stripe webhook handler route from CSRF protection since Stripe will not know what CSRF token to send to your routes.
Typically, you should place these kinds of routes outside of the web middleware group that the RouteServiceProvider applies to all routes in the routes/web.php file. However, you may also exclude the routes by adding their URIs to the $except property of the VerifyCsrfToken middleware:
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
class VerifyCsrfToken extends Middleware
{
/**
* The URIs that should be excluded from CSRF verification.
*
* @var array
*/
protected $except = [
'stripe/*',
'http://example.com/foo/bar',
'http://example.com/foo/*',
];
}
i had same problem. use 'clear browsing data' in chrome. maybe solve your problem.
This happens because you are using the default CSRV middleware from Laravel's installation. To solve, remove this line from your Kernel.php:
\App\Http\Middleware\VerifyCsrfToken::class,
This is fine if you are build an API. However, if you are building a website this is a security verification, so be aware of its risks.
Tried different solutions to solve the problem for several weeks without success.
The problem I was facing was caused by upgrading from laravel 5.0 to 5.5 and forgot to update config/session.php
If anyone is facing the problem, try to update the config/session.php to match the version on Laravel you are running
I had the same problem, I have tried many solutions. but none worked for me. then I found out that for some reason I was using this in my .env file:
SESSION_DOMAIN= myapp.me
and as soon as I put it back to null, everything worked just fine.
if your config is set: SESSION_DRIVER=file you have to check if your session directory is writable. Check storage/framework/session
If you have already included the CSRF token in your form. Then you are getting the error page possibly because of cache data in your form.
Open your terminal/command prompt and run these commands in your project root.
php artisan cache:clear php artisan config:clear php artisan route:clear php artisan view:clear,Also try to clear the browser cache along with running these commands.
In my case, there was 'space' before <?php in one of my config file.
This solved my issue.
Just place this code inside the form
<input type = "hidden" name = "_token" value = "<?php echo csrf_token() ?>" />
I was facing the same error so i just removed this line from my .env file
SESSION_DRIVER=yourwebsite.com
Still anyone have this problem, use following code inside your form as below.
echo '<input type = "hidden" name = "_token" value = "'. csrf_token().'" >';
if you need to change form action with Javascript you will have the same problem
1.first you need to use instead of {!!Form::open() !!} {!! close() !!} in laravel
2.second you most begin your action with https://www.example.com +your Route
Do not Forget www in your url!!!
In my case the same problem was caused because I forgot to add > at the end of my hidden input field, like so: <input type="hidden" name="_token" value="{{ Session::token() }}"
So, I fixed it by adding it:
<input type="hidden" name="_token" value="{{ Session::token() }}">
It's Funny but it works for me. i realised this is Caused because of default HTML TAG in laravel code. Use /* */ or {{-- --}} instead
Or Try to Remove Recently Html Coment in you code... Or change Html Comment to Php Comment... Or try to run Any Worng artisan command like php artisan clean browser And See if it output any HTML Commented data along with it error...
We got it working by copying the routes from Router.php instead of using Auth::routes(), these are the routes you need:
Route::get('login', 'Auth\LoginController@showLoginForm')->name('login');
Route::post('login', 'Auth\LoginController@login');
Route::post('logout', 'Auth\LoginController@logout')->name('logout');
// Registration Routes...
Route::get('register', 'Auth\RegisterController@showRegistrationForm')->name('register');
Route::post('register', 'Auth\RegisterController@register');
// Password Reset Routes...
Route::get('password/reset', 'Auth\ForgotPasswordController@showLinkRequestForm')->name('password.request');
Route::post('password/email', 'Auth\ForgotPasswordController@sendResetLinkEmail')->name('password.email');
Route::get('password/reset/{token}', 'Auth\ResetPasswordController@showResetForm')->name('password.reset');
Route::post('password/reset', 'Auth\ResetPasswordController@reset');
I know this question has been satisfactorily answered, but I wanted to mention a fix that worked in my case. I added {{ csrf_field() }} and it still didn't work.
Then I remembered that I blocked all cookies for development purposes, which can be nice when you change the page and want to refresh it.
Once I changed the settings to stop blocking all cookies in MS Edge browser the problem went away.
my problem solved by just adding @csrf in form tag
Laravel 5.6 doesn't support {{ csrf_field() }} just add @csrf in place of {{ csrf_field() }}
larvel_fix_error.png
It may be csrf token do not have in your form. You have to use @crsf or {{ csrf_field() }}
If you are use csrf on your form. It may be cache. Clear your app cache.
php artisan cache:clear
php artisan view:clear
php artisan cache:clear
And clear your browser cache.
If errors again show you, then create a new key
php artisan key:generate
If anyone still looking for an answer to this issue. For me it happens when I'm switching between local and production server and I'm logged on both sites. To fix the issue, just clear the session.
just set the 'expire_on_close' => true in config\session.php and restart your browser
I recently went through this problem, tried all the solutions proposed here (and the internet) without success for 5 days.
In my case my environment:
Laravel: 5.5
PHP: 7.2
SSL: production
Apache
CENTOS
The problem is that I had automated the deployment using the git --bare repository with ansimble.
And all folders when pushing were with permission 0775 (inherited from the git user). When ansinble was run it replicated this permission to all folders. When composing install for example, all vendor folders also had this permission.
The csrf, has a policy of blocking what is considered insecure, especially if you use an encrypted environment (SSL).
I only realized the problem when I decided to carry out the deployment manually, zipped the project, uploaded it, unzipped it and ran the commands to generate the caches and dependencies. And then I realized that this way all folders were with permission 0755 (inherited from the system user). And this is the default permission that is considered safe.
In my case, it seems to be an issue in my web browser (Firefox for Android) or my smartphone with full storage. In another browsers and devices it works. By the way, the issue happens only when I send files through the form, I realized I currently can't upload files from my smartphone through this browser in any websites like https://filebin.net.
This is very simple for me. maybe the sessions folder is missing in storage/framework/sessions
Some time its issue with the server storage. In my case server storage was full so it could not write any session to file.So freeing out some server storage solved the issue. Also sometimes it the issue of csrf if we forget to include csrf in post field.
Go into
App/Kernel.php and comment
\App\Http\Middleware\VerifyCsrfToken::class.
