Simple form

<form method="POST" action="/foo" > @csrf <input type="text" name="name"/><br/> <input type="submit" value="Add"/> </form>

In routes \ web.php

 Route::post('/foo', function () { echo '<pre>'; print_r($_POST); echo '<pre>'; return;

When sending the form gives an error

 419 Sorry, your session has expired. Please refresh and try again.

In version 5.6 there was no such problem.

If in app / Http / Middleware / VerifyCsrfToken

prescribe

  protected $except = [ '/foo', // ];

there is no check of the tokin that sends the form and the error does not appear.

The route works out and issues

 Array ( [_token] => hnaGkZ6THI0pzVVlQD23jRRYQqIrQDtXGkK4ng2Z [name] => Саша )

The question is what settings need to be changed so that the VerifyCsrfToken intermediary automatically worked out the check. It turns out the token that the form submits does not receive the intermediary. Just take and turn off the route check in my opinion is not good.

  • Try not @csrf, a {{csrf_field ()}} in the form - manowartop
  • All options tried tokin in the form there. Even in the answer it is clear that the token in the $ _POST array from the form falls. The question is that in version 5.7 they changed that the latter does not understand this token, does not receive it. - Sasha Hakerenko
  • @ SashaHakerenko I have 5.7.6. Copied your code, pasted, works without errors - nicolaa
  • Maybe this is due to OpenServer ... - Sasha Hakerenko

5 answers 5

This happens with csrf tokens. They have the longest time only 1 or 2 hours. Of course, it depends on the time you set in your config. If you open config/session.php , you can find a key called lifetime. This is the life expectancy in minutes. Thus, the CSRF token has the same lifetime range as this configuration parameter. Therefore, if you send a message to your server in two hours, you will receive this exception, because the token / session has expired.

But also this error may be due to the fact that you did not specify the token at all (I see what exactly you indicated, I am for other people). Specify this in your form tag:

 @csrf

or

 {{ csrf_field() }}

or

 <input type="hidden" name="_token" value="{{ csrf_token() }}">
  • <form method = "POST" action = "/ foo"> <input type = "hidden" name = "_ token" value = "knG4ltT7Y08UHIm6XgLSDToEzwsbLDzsIC0jnTWM"> <input type = "text" name = "name"> <br> <textarea name = "text"> </ textarea> <br> <input type = "submit" value = "Add"> </ form> I looked at the form with it all right - Sasha Hakerenko
  • Do you have this every time you send? - Ilya Zelenko
  • The form is all right. Session time tried to change it not because of it. Most likely, in version 5.7, the principles of the fight against csrf attacks have changed and the mediator has to work something differently. - Sasha Hakerenko 1:54 pm
  • I copied the form from the browser; it shows that the @csrf directive works correctly, but it is not enough as it was in Laravel 5.6. - Sasha Hakerenko
  • This is strange, with such an error in Google there are few results . - Ilya Zelenko

I think you need to check all configuration files again. Something somewhere is not spelled out. Yes, this error is mainly related to CSRF. Somewhere in your configuration is underperformed, so there are so few tips. Here everything is correct. But I would advise you to use the Laravel output functions for tests.

 use Illuminate\Http\Request; Route::any('/foo', function (Request $request) { dump($request); });

In my projects, this only appears if I skip @scrf. And yes! Of course, check on the browser side that the INPUT with the Token is revealed. Maybe just a cache view to reset.

even for verification, make the method not post but get in the form and look in the response to the form in the dump array ($ request) if there is a Token (_token) in the request group.

    Laravel 5.7 Admin Voyager. On Frontend - React 16 After the fixes in the files, it stopped entering the admin area. When I entered my login and password, I got an error 419. In my case, a space was added in the routes / api.php file before the opening tag. That was a mistake. After removal, everything returned to normal.

    Everyone just talks about CSRF, and the problem may turn out to be in more primitive things. About which they speak much less often.

      There was a problem with the redirect to the page with error 419, the problem occurred when authorizing or registering a user. The form was created using standard Laravel tools, namely the php artisan make:auth , and worked steadily for a couple of weeks, then a redirect appeared. I tried to uninstall and reinstall vendor and update laravel, as described here => laravel-update (Can someone come in handy) - This did not help me.

      Solution to the problem:

      In the auth/login.blade.php I replaced the CSRF call from @csrf with {{csrf_field()}} , dropped the php artisan cofig:cache and it all worked.

        The documentation describes in detail. http://laravel.su/docs/5.4/csrf Or as mentioned above, add a token. Or, add the following file: in the file of the file of the program.npr / intermediate / VerifyCsrfToken $.

        • Why did you decide to write in English? Is Russian not your native language and is it difficult for you to write in Russian? - 0xdb