0

Laravel creates new session token but uses the old token when using csrf_token(). While validating it uses the newly created session_token() thus gives The page has expired due to inactivity.Please refresh and try again. or TokenMismatchException.

Works perfectly on localhost but not on live server

I have cleared all the cache, yet couldn't make it work

composer dump-autoload
php artisan optimize
php artisan cache:clear
php artisan config:clear
php artisan route:clear
php artisan view:clear

Before post request, this is the token

enter image description here

accordingly the csrf_token() also uses the same but when the post call is made, the request body uses the above token where the session_token uses the new one (NOTE: Session token does not create new token every time)

After post request

enter image description here enter image description here

Session.php

<?php

return [

    'driver' => env('SESSION_DRIVER', 'file'),

    'lifetime' => 1200,

    'expire_on_close' => false,


    'encrypt' => false,


    'files' => storage_path('framework/sessions'),


    'connection' => null,


    'table' => 'sessions',


    'store' => null,

    'lottery' => [2, 100],


    'cookie' => 'laravel_session',

    'path' => '/',


    'domain' => env('SESSION_DOMAIN', null ),

    'secure' => env('SESSION_SECURE_COOKIE', false),


    'http_only' => true,

];

storage/framework/session has write permission.

Form

<form method="POST" action="{{ route('login') }}" role="form">
                    {{ csrf_field() }}
                    <input id="email" type="email" class="form-control" name="email" value="{{ old('email') }}" required
                           autofocus>

                    <button type="submit" class="btn btn-green">Sign in</button>
                </form>

TIA

silverFoxA
  • 4,549
  • 7
  • 33
  • 73
  • have you tried using laravel recipes to declare your form eg {{ Form::model($role, array('route' => array('roles.update', $role->id), 'method' => 'PUT', 'class'=>"form-horizontal form-label-left","novalidate"=>'true')) }} – Stephen Mudere Feb 10 '18 at 13:34
  • @StephenMudere Please find the updated question, have added the `form` code – silverFoxA Feb 10 '18 at 13:38
  • you can check this question https://stackoverflow.com/questions/46149561/laravel-5-5-the-page-has-expired-due-to-inactivity-please-refresh-and-try-again/46520461 – bipin patel Feb 10 '18 at 13:47
  • @bipinpatel I'm not interested in excluding the route – silverFoxA Feb 10 '18 at 13:52
  • @silverFoxA I have the same problem here... Im using MacBook OSX 10.12.6, the issue only occurs locally on dev, after pushed to heroku it is working fine... please let me know if you found a solution for this.. – Jacky Choo Mar 23 '18 at 06:51
  • @JackyChoo my issue was something really stupid, I had `CloudFlare` enabled which cached the data, I had to clear the cache. You might want to try clearing the cache and adding proper permission to the directories – silverFoxA Apr 21 '18 at 14:56
  • @silverFoxA thanks for the info, mine was really stupid too! I had faulty code in my database.php and the faulty code runs when I'm connecting to mysql, heroku is fine because I was running Postgresql, however, when I ran the code via `php artisan serve` the error was hidden, somehow I ran the code with XAMPP and the error appeared.. – Jacky Choo Apr 22 '18 at 15:50

1 Answers1

0

Then why don't you add the token via Session facade ? Remove the csrf_field() method and add:

<input type="hidden" name="_token" value="{{ Session::token() }}" />
Mahdi Younesi
  • 6,889
  • 2
  • 20
  • 51
  • The problem here is before post call, the token is something else(basically the previous token), once the post request has been made the token is the new one. If I go back to the main page again or come out of the auth page, the token is the previous token itself. Hope I was able to explain – silverFoxA Feb 10 '18 at 16:09