dealing with CSRF and XSRF-token error messages

Question

This question is linked to one that still could not get resolved but I have pinned it very precisely now and I am focusing on what I know is the cause of error, yet I have tried all the means known to me.

The problem is that an $.post from a jquery to a controller throws an 500 internal server error which is actually a "mismatch token exception" that is caught in line 67 of the VerifyCSRFToken.php file.

Therefore, the controller does not get the value because the Middleware stays in the middle

In order to try to deal with this I have done:

1) Went to the App\Middleware\VerifyCSRFToken.php and included the route that is in the jquery snippet as to be ignored. That should suffice, but it doesn't.

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = ['findcountries', 'findpaises','prueba'];
}

2) Also, I went and added this metatag in the view page. (actually this would be if I want to allow the sending with csrf)

<meta name="csrf-token" content="{{ csrf_token() }}">

3) I included this code snippet that I call from the view

// public/js/config.js
$(function () {
    $.ajaxSetup({
        headers: { 'X-CSRF-TOKEN': $('meta[name="_token"]').attr('content') }
    });
});

What baffles me is that it is the copy paste code which was working on my production server for months,actually the ignore routes in CSRFVerifyToken php file did the trick, I did not even need the metatag and the other snippet.

Now I am developing an improved version of the web in cloud9 and I can't get rid of this problem.

Anyone knows what could be done about it?

thank you UPDATE

This is the code that gives the problem:

    function cargarProvincias() {        

            var country = $('#country').val();       
              $url = "{{URL::route('findcountries')}}";   

 this one ==>       $.post($url, {pais:country},function(data){
                    $('#regions').empty();                 
                    $.each(data, function(key, value){                 
                    $('#regions').append('<option value="' + key + '">' + value + '</option>')});
                        cargarCiudades();         
                  });
              }

Answer 1

The issue lied on the httpS SSL encrypted environment where c9.io is developed.

The content that I had in the page, either calls to js from google which were not under https but http would be blocked as the conflict of mixed content.

I disabled the browser protection so as to make it all http, but the site under https would be then telling me that I am doing some sort of cross site request forgery because the origin of the form (http) was not the same that the environment is in (https)

So, only when the URL of the page where the form was in was not under https would the code work. I can do the edition of the headers on the fly removing or adding the s in the http and see how success or fail followed.

I first got rid of the Form and left only a select list and a plain simple select list and this very simple jquery code:

<script>

    jQuery(document).ready(function () {
    cargarProvincias();
 //   cargarCiudades();
    $('#country').change(cargarProvincias);

     });

        function cargarProvincias() {     

        var country = $('#country').val();   
      //  alert(country);
          $url = "{{ URL::route('findcountries')}}";   
         // alert($url);
          $.post($url, {input:country},function(data){
               $('#feedback').text(data);
          });

        }

   </script> 

Then I placed this select list inside a form, no problem. Something like this:

{!! Form::open(array('route' => 'property.store', 'files'=>true)) !!}

The fist picture, you see the 500 error if I removed the route from here:

<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [ 'findpaises','prueba','/', 'propertyfound'];
}

So, as I said, you can get away not sending any CSRF neither in your Ajax or your form IF and ONLY IF you include it in the ignore list array above.

Also I must say, Firefox is NOT a good browser to check for development issues. You may have fixed the issue, firefox will rest with its errors stored.

Today I found out slimjet as a browser, if you you use it you will see what I mean. Firefox crashed my computer because of its bloody plugins, while everything is built-in in Slimjet

Answer 2

The token you're using is from metatags, that's wrong. Let's say you have 2 different forms on the same page, it won't work!

You should use the token inside the form generated by Laravel. I grab this code from another question that may help you.

How to call route of controller with ajax serialize

var formId = '#radicado';

var token = document.getElementById('token').value;
$.ajax({
    async: true,
    headers: {'X-CSRF-TOKEN': token},
    url: ip+'/storeVersion',
    type:  'POST',
    data: $(formId).serialize(),
    dataType: 'html',
    success: function(result){
        $(formId)[0].reset();
        alert(result);
        document.getElementById("version").style.display = "none";
        document.getElementById("preview").style.display = "none";
        parent.formulario.location.reload() 
    },
    error: function(){
        alert('No se ha actualizado el documento.');
    }
});

Remember, the CSRF token is inside the form you're trying to send.