Laravel 419 Error - VerifyCsrfToken issue

Question

I have multiple Laravel sites hosted on the same server. With the latest site I\'ve created, the contact form refuses to submit without throwing a 419 error. I have set up t

Answer 1

Probably your domain in browser address bar does not match domain key in config/session.php config file or SESSION_DOMAIN in your env file.

Answer 2

Check out my answer to this question if it would be of help to what you are trying to achieve Form post request return error 419 unknown status laravel

Answer 3

run this command php artisan key:generate

Answer 4

TLDR: This post contains lots of potential issues and fixes; it is intended for those scouring for related bonus information when stuck.

I just encountered this error using Laravel Sanctum in what looks like improperly setup middleware. Sanctum uses the auth:sanctum middleware for the guard, which is some kind of extension of the auth guard of which Laravel uses as the default, but session is handled by the web middleware group.

I can't exactly verbalize some of this internal-Laravel stuff; I am more experienced with JavaScript than PHP at the moment.

In my api.php file, I had the login/register/logout routes, and in my Kernel.php file, I copied \Illuminate\Session\Middleware\StartSession::class, from the web group into the api group.

I had to do that to fix my login unit test that was throwing an error about "Session store not on request". Copying that allowed me my postJson request to work in the unit test, but sometime later, I started seeing 419 CSRF error posting from the JavaScript app (which is bad because it worked fine earlier).

I started chasing some filesystem permission red-herring in the /storage/framework/sessions folder, but the issue wasn't that (for me).

I later figured out that with Laravel Sanctum and the default AuthenticatesUsers trait, you must use the web guard for auth, and the auth:sanctum middleware for protected routes. I was trying to use the api guard for auth routes and that was central to my 419 errors with the AuthenticatesUsers trait.

If anyone gets 419 while CSRF was working or should work, I recommend doing some \Log::debug() investigations at all the key points in your system where you need these to work:

Auth::check()

Auth::user()

Auth::logout()

If you get strange behaviour with those, based on my observations, there is something wrong with your config related to sessions or something wrong with your config related to web, api guards.

The guards have bearing on the AuthManager guard which maintains state over multiple requests and over multiple unit tests.

This is the best description I found, which took over a week for me to discover:

Method Illuminate\Auth\RequestGuard::logout does not exist Laravel Passport

As a random final example, if your session is somehow generating the CSRF token using data from the web middleware group while your routes are set to use api, they may interpret the received CSRF incorrectly.

Besides that, open Chrome dev tools and goto the Applications tab, and look at the cookies. Make sure you have the XSRF-TOKEN cookie as unsecure (ie: not httpOnly).

That will allow you to have an Axios request interceptor such as this:

import Cookies from 'js-cookie';

axios.interceptors.request.use(async (request) => {
    try {
        const csrf = Cookies.get('XSRF-TOKEN');
        request.withCredentials = true;

        if (csrf) {
            request.headers.common['XSRF-TOKEN'] = csrf;
        }

        return request;
    } catch (err) {
        throw new Error(`axios# Problem with request during pre-flight phase: ${err}.`);
    }
});

That is how my current Laravel/Vue SPA is working successfully.

In the past, I also used this technique here:

app.blade.php (root layout file, document head)

<meta name="csrf-token" content="{{ csrf_token() }}">

bootstrap.js (or anywhere)

window.axios = require('axios');

window.axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';

const token = document.head.querySelector('meta[name="csrf-token"]');

if (token) {
    window.axios.defaults.headers.common['X-CSRF-TOKEN'] = token.content;
} else {
    console.error('CSRF token not found: https://laravel.com/docs/csrf#csrf-x-csrf-token');
}

In my opinion, most problems will stem from an incorrect value in one or more of these files:

• ./.env

• ./config/auth.php

• ./config/session.php

Pay close attention to stuff like SESSION_DOMAIN, SESSION_LIFETIME, and SESSION_DRIVER, and like I said, filesystem permissions.

Check your nginx access.log and/or error.log file; they might contain a hint.

Answer 5

just found your issue on the framework repo. It is not a laravel issue, your installation is missing write permissions on the storage folder, thus laravel can't write session, logs, etc.

You get a 419 error because you can't write to the files, thus you can't create a sessionn, thus you can't verify the csrf token.

Quick fix: chmod -R 777 storage

Right fix: move your installation to a folder where nginx/apache/your user can actually write. If you are using nginx/apache, move you app there and give the right permissions on the project (chown -R www-data: /path-to-project) If you are using php artisan serve, change it's permissions to your user: chown -R $(whoami) /path-to-project

You get it, let writers write and you're good.

Answer 6

test this code

Route::get('/contact', [
   'uses' => 'ContactController@index',
   'nocsrf' => true,
]);
Route::post('/contact', [
   'uses' => 'ContactController@contactSubmit',
   'nocsrf' => true,
]);

or you can delete hole csrf

protected $except = [
    '*'
];