419 Page Expired In Laravel Even after adding CSRF token

Question

I am working on a Laravel 8 Framework, I have added the application on the live Cpanel server and then it started showing below Error:

419 PAGE EXPIRED

I know generally missing CSRF token will be the main issue but in this, I have added the CSRF token, I am using LARAVEl blade syntax so adding LARAVEL blade form syntax the "Token" (CSRF) will get added directly.

 {{ Form::open( [ "url" => \URL::route("front.login.check"), "autocomplete"=>false,"id" => "login_form" ] ) }}

This will add the CSRF automatically, I have tried adding directly, But every POST request end up on the 419 PAGE EXPIRED page.

What do I have checked already?

CSRF Token Is not missing in the Form
I have checked middleware also but this request did not reach the middleware after form submit it will take to the 419 page
Also try to php artisan cache:clear and dump-autoload command but the issue is still.
Added 755 permission to storage, vendor and cache folder also.

Please help me on this What next should I need to check for solve this issue?

Does your session files `storage\framework\sessions\*` has `_token` key with value of 40 characters ? — medilies, Mar 19 '22 at 18:21
@medilies yes sir this `sessions` file has `_token` it's look like this `a:2:{s:6:"_token";s:40:"A6TrQWNlZ7qckF7i4r0yiBwHqUD1Uvr4fRuyoUfp";s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}}` — always-a-learner, Mar 19 '22 at 18:22
@medilies yes sir, as I mention I have a check that and `_token` is there. i have a double check on that. — always-a-learner, Mar 19 '22 at 18:25
It may be an issue with your session driver config. Check https://stackoverflow.com/a/31451983/17873304 — medilies, Mar 19 '22 at 18:26
@medilies try as your suggestion .. still on the same error page.. clear the config cache also — always-a-learner, Mar 19 '22 at 18:33

steven7mwesigwa · Accepted Answer · 2023-08-09T08:44:44.150

Laravel "419 Page Expired" Error Troubleshooting Steps

Apply/go through all steps up to "step 12" BEFORE testing your application for this error.

Increase your session expiration time (I.e. 24 hours).
Make sure that the "session domain" is the same as the "app URL".
Ensure that the session cookies are sent back to the server for both "HTTP" & "HTTPS" browser connections.

.env file contents applying the above 3 steps.

Change myapp.local to your application domain.

APP_URL="http://myapp.local"
SESSION_LIFETIME=1440
SESSION_DOMAIN=myapp.local
SESSION_SECURE_COOKIE=false

Make sure you submit a CSRF token along with your (PUT/POST/DELETE/etc.) HTTP requests.

(I.e: Ensure that this request parameter is submitted along with your HTML form requests <input type="hidden" name="_token" value="{{ csrf_token() }}" />).
If in case you make AJAX requests in your application, you may configure ALL AJAX requests to send the CSRF token at all times.
- Add this "<meta> tag" inside the <head> tag of all your master VIEW templates/layouts. I.e: resources/views/layouts/app.blade.php and resources/views/layouts/guest.blade.php and resources/views/welcome.blade.php
  - <meta name="csrf-token" content="{{ csrf_token() }}">
- Then, define the required HTTP request headers and recompile your app's static assets (npm run dev). resources/js/app.js

$.ajaxSetup({
    headers: {
        "X-CSRF-TOKEN": $('meta[name="csrf-token"]').attr("content"),
        "X-Requested-With": "XMLHttpRequest"
    }
});

Regenerate your application key automatically. (I.e: php artisan key:generate).
Clear your application cache. (I.e: php artisan cache:clear).
Confirm that the application caller has read & write permissions in the application's "sessions" & "cache" folder. (I.e: chmod -R 755 storage && chmod -R 755 "storage/framework/sessions" && chmod -R 755 "bootstrap/cache").

Addendum 1:

If in case you have Laravel Sanctum installed and enabled, add your application domain among the whitelist of "sanctum stateful domains".

.env file contents

Change myapp.local to your application domain.

SANCTUM_STATEFUL_DOMAINS="myapp.local"

Addendum 2:

Ensure that your "session driver" isn't empty. The default value is "file".

.env file contents

SESSION_DRIVER=file

Addendum 3:

Disable the browser cache. This may be beneficial during your development process.
Open your web browser, navigate to your application's home page, reload the current page, ignoring cached content. (I.e: On Windows: Shift + F5 or Ctrl + Shift + r and on Mac: ⌘ + Shift + r).
TEST YOUR APP! Check if you still receive the error.

Addendum 4 (Optional):

Only perform the steps below if you reached step 12 and are still having the same error.

A. Clear ALL web browser cache & cookies. TEST YOUR APP!

B. Open an entirely different web browser and test again. If you've been using Google Chrome / Safari all along, try testing using Firefox. TEST YOUR APP!

C. Restart your computer and test again. TEST YOUR APP!

I have checked each step you have given here, but still no luck I have updated env, remove the cache also after each change but still stuck at the same error page — always-a-learner, Mar 20 '22 at 04:17
@always-a-learner Please try out the steps in **Addendum 4** of my edited answer. — steven7mwesigwa, Mar 20 '22 at 06:26
Just a word of warning, following the steps above, as soon as I reset the application key (php artisan key:generate), the problem I had of expired session became application-wide and I could no longer login. — Mr Fett, Jul 06 '23 at 12:22
"Confirm that the application caller has read & write permissions" that was my issue, and I solved it with https://stackoverflow.com/a/45673457/5248391 — shamaseen, Aug 07 '23 at 12:23

score 1 · Answer 2 · answered Mar 31 '23 at 02:07

This can also happen when you have the SESSION_SECURE_COOKIE flag set to true and then your request is made under an unsecure connection for example you access your application over http://yourdomain.com instead of https://yourdomain.com. The set-cookie header will be blocked because its received under an unsecure connection hence leading to the above session problem.

score 0 · Answer 3 · answered Aug 12 '23 at 06:06

0

This may be an edge case, but if you're using the database driver and something other than normal incrementing IDs for your user IDs (i.e, ULIDs or UUIDs), make sure the user_id field in the sessions table reflects the correct format for your user IDs.

answered Aug 12 '23 at 06:06

Justin Russell

1,009
1
9
15

score -1 · Answer 4 · answered Mar 19 '22 at 19:24

-1

1- php artisan route:clear

2- go to CSRF middleware and try to add "*" to your except array

answered Mar 19 '22 at 19:24

Milad Elyasi

789
4
12

1

Tried this also but still got 419 error page, also this is not a suitable solution due to safety issue. – always-a-learner Mar 20 '22 at 03:51
3

If anyone comes across this answer, adding "*" to your VerifyCsrfToken $except array is a terrible way to fix this issue. Try literally anything else before you do this. If you absolutely must add this route to your exception, add ONLY this route (and any others you need of course) – Kevin F. Aug 05 '22 at 09:30

score -3 · Answer 5 · answered Jan 12 '23 at 18:30

-3

When this happened to me it was because I forgot to add 'name' attribute to my input in the form

answered Jan 12 '23 at 18:30

Jaylaud

5
3