UPDATE 2: It is definately generating a whole new session & token upon executing the POST. My sessions are set up to be stored in files and I can physically see a new session get created straight after posting.
I cannot still find a reason for this. Any help is appreciated!
UPDATE:
Upon further tracing of issue I found in class VerifyCsrfToken that the validation is done by this line of code in protected function tokensMatch($request)
$token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
return Str::equals($request->session()->token(), $token);
I copy the token from initial page load (and check its session value) and they match.
Token in session & hidden (login Page first load)= wHszQpffJC0gIov17pd2ZbPqtdbFq7yZh3U2QlOe
But the tokens are different when the POST takes place and they are compared. Somehow the token in session has been changed. I check like this:
echo 'Token from request= ' . $token;
echo 'Token from session= ' . $request->session()->token();
and I get this:
Token from request= wHszQpffJC0gIov17pd2ZbPqtdbFq7yZh3U2QlOe
Token from session= sfquUx6MhPaqdMR862kDZh8qYmpKDJ0Rbdghq1iA
I do this on a fresh browser / login attempt. Why would the token in session be different than the one carried across from the login page?
ORIGINAL Q: I am getting the above error on a fresh L5.1 install and cannot (after reading numerous links) get this problem solved. I am new to Laravel. Appreciate any suggestions.
My form looks like this:
@extends('admin.layouts.default')
@section('content')
<div id="form" class="login">
<img src="{{ $logo }}" class="logo"/>
@include('admin.partials.message')
{!! Form::open(['url' => '/login', 'class'=>'form']) !!}
<div class="form-group">
{!! Form::label('email', 'Email:', ['class'=>'control-label']) !!}
{!! Form::email('email', null, ['class'=>'form-control', 'id'=>'email', 'required'=>'1']) !!}
</div>
<div class="form-group">
{!! Form::label('password', 'Password:', ['class'=>'control-label']) !!}
{!! Form::password('password', ['class'=>'form-control', 'id'=>'password', 'required'=>'1']) !!}
</div>
<div class="form-group text-left">
{!! Form::checkbox('remember', '1', null, ['id'=>'remember']) !!}
{!! Form::label('remember', 'Remember Me', ['class'=>'control-label']) !!}
</div>
<div class="form-group">
{!! Form::submit('Sign In', ['class'=>'btn btn-primary']) !!}
<a href="/reset-password" class="text-muted">Forgot Your Password?</a>
</div>
{!! Form::close() !!}
</div>
<?php dd(session()); ?>
@stop
My routes look like this:
/*
|--------------------------------------------------------------------------
| Freely available routes for login, registration, password reset etc
|--------------------------------------------------------------------------
*/
Route::group([
'middleware' => 'guest'
], function(){
// Register
Route::get('register', ['uses' => 'RegistrationController@create', 'as' => 'registration.create']);
Route::post('register', ['uses' => 'RegistrationController@store', 'as' => 'registration.create']);
// Activate
Route::get('register/activate/{uuid}', ['uses' => 'RegistrationController@activate', 'as' => 'registration.activate']); // Pattern matched
// Login/logout
Route::get('login', ['uses' => 'Auth\AuthController@getLogin', 'as' => 'session.create']);
Route::post('login', ['uses' => 'Auth\AuthController@postLogin', 'as' => 'session.create']);
Route::get('logout', ['uses' => 'Auth\AuthController@getLogout', 'as' => 'session.destroy']);
// Forgot password
Route::get('reset-password', ['uses' => 'SessionController@reset_password', 'as' => 'session.reset_password']);
// Change password
Route::get('change-password', ['uses' => 'SessionController@change_password', 'as' => 'session.change_password']);
});
The token on page load and session look the same, generated by formBuilder.
Session:
#attributes: array:1 [▼
"_token" => "EE5qv7mhhyI0cutpXOgU6jgvUR2R58RubQ5pC128"
]
Page HTML:
<input name="_token" type="hidden" value="EE5qv7mhhyI0cutpXOgU6jgvUR2R58RubQ5pC128">
Well, the problem it turns out was that I had set the session variable secure to true in the www/config/session.php file. This was causing Laravel to expect requests via HTTPS which my development environment does not have set up, and thus causing the server to treat each GET or POST as a new request.
Hope this helps someone.