Search code examples
phplaravelsession-cookiescsrf-token

Laravel 5, token mismatch during login but gives 419 page expired


I have a laravel 5.8 app, deployed some weeks ago into production. One user (and one user only) appears to have problems with the login and gets a 419 page expires error. I tried to trace this issue and got the same error. The problem appears entering correct or incorrect password...

I've read and saw that most probably it's an CRSF issue... I've tried pretty much a lot, env variables, read rights in storage/framework/session etc. but then after editing VerifyCSRF Token I found out that there is effectively a Token Mismatch The CSRF field in the form and the request token do not match...

I have come so far to be able to say that getTokenFromRequest gives the right token also seen in the login form html and $request->session()->token() gives an unknown token to me...

So as both tokens are kind of generated by laravel and I simply have no clue why the session token is different... Session_driver: File lifetime 120 expire_on_close: true session_domain set to domain name session_secure_cookie: false http_only: false Same_site: null

So is it a session problem or a crsf problem? And the interesting question is also: why do only some users have this issue...


Solution

  • Ok, I've upgraded PHP from 7.2.29 to 7.3 and the problem disappeared.

    From other projects I had noticed that PHP 7.2 sometimes gave funky results not only with laravel... Seems to have been that again...