Reputation: 31
Hi I'm new to Laravel and I'm trying to build a login form with ajax form submission.
I copied & built a sample form with Metronic template, and trying to use ajax request to get the login check.
My code works totally fine if I exclude it from VerifyCsrfToken checking. But I do want the token validation to work.
I have read multiple post about csrf token, tried but still returns status code 419.
Sorry for the long code below, but here they are (I know I have not done anything about setting sessions and stuff, please ignore for now coz the code returns 419 status anyway)
Route::post('/auth/login', array('uses' => 'Auth\LoginController@postLogin'))->name('login');
Route::get('/landing', array('uses' => 'IndexController@landing'))->name('landing');
<meta charset="utf-8" />
<title>{{ config('') }} ({{ config('app.env') }})</title>
<meta name="description" content="Latest updates and statistic charts">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, shrink-to-fit=no">
<meta name="csrf-token" content="{{ csrf_token() }}">
Global css & js here
<form class="m-login__form m-form" method="post" action="{{ route('login') }}">
Form content here
<!--begin::Page Scripts -->
<script type="text/javascript">
var form_action = '{{ route('login') }}';
<script src="{{ URL::asset('login.js')}}" type="text/javascript"></script>
<!--end::Page Scripts -->
var handleSignInFormSubmit = function() {
$('#m_login_signin_submit').click(function(e) {
var btn = $(this);
var form = $(this).closest('form');
rules: {
email: {
required: true,
email: true
password: {
required: true
if (!form.valid()) {
btn.addClass('m-loader m-loader--right m-loader--light').attr('disabled', true);
var formData = form.serialize();
data: formData,
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
dataType: 'json',
$(location).attr('href', data.intended);
btn.removeClass('m-loader m-loader--right m-loader--light').attr('disabled', false);
showErrorMsg(form, 'danger', 'Incorrect username or password. Please try again.');
error: function (data) {
btn.removeClass('m-loader m-loader--right m-loader--light').attr('disabled', false);
showErrorMsg(form, 'danger', 'Incorrect username or password. Please try again.');
namespace App\Http\Controllers\Auth;
use App\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\AuthenticatesUsers;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\URL;
use Response;
class LoginController extends Controller
use AuthenticatesUsers;
protected $redirectTo = '/landing';
public function __construct()
public function postLogin(Request $request) {
$auth = false;
$credentials = $request->only('email', 'password', 'remember_token');
if (Auth::attempt($credentials, $request->has('remember_token'))) {
$auth = true; // Success
if ($request->ajax()){
$response = array(
'auth' => true,
'code' => 101,
'intended' => URL::route('landing')
$response = array(
'auth' => true,
'code' => 102,
'intended' => URL::route('landing')
return Response::json($response);
$response = array(
'status' => 'error',
'msg' => 'Error',
return Response::json($response);
Part of the reponse error
message: "", exception: "Symfony\Component\HttpKernel\Exception\HttpException",…}
exception: "Symfony\Component\HttpKernel\Exception\HttpException"
file: "/var/www/imas/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php"
line: 204
message: ""
UPDATED: I put everything in one php file, did put csrf-token meta in head + ajaxsetup in script, still getting 419 status code (Note: The "test123" is a post method in route file)
<!DOCTYPE html>
<html lang="en">
<!-- begin::Head -->
<meta charset="utf-8" />
<title>{{ config('') }} ({{ config('app.env') }})</title>
<meta name="description" content="Latest updates and statistic charts">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, shrink-to-fit=no">
<meta name="csrf-token" content="{{ csrf_token() }}">
<!--begin::Web font -->
<script src=""></script>
google: {"families":["Poppins:300,400,500,600,700","Roboto:300,400,500,600,700"]},
active: function() {
sessionStorage.fonts = true;
<!--end::Web font -->
<!--begin:: Global Mandatory Vendors -->
<!--end:: Global Mandatory Vendors -->
<!--begin:: Global Optional Vendors -->
<!--end:: Global Optional Vendors -->
<!--begin::Global Theme Styles -->
<!--end::Global Theme Styles -->
<!--begin::Page Vendors Styles -->
<!--end::Page Vendors Styles -->
<!--begin:: Custom CSS -->
<!--end:: Custom CSS -->
<!-- end::Head -->
<!-- begin::Body -->
<body class="m-page--fluid m--skin- m-content--skin-light2 m-header--fixed m-header--fixed-mobile m-aside-left--enabled m-aside-left--skin-light m-aside-left--fixed m-aside-left--offcanvas m-footer--push m-aside--offcanvas-default">
<!-- begin:: Page -->
<div class="m-grid m-grid--hor m-grid--root m-page">
<!-- BEGIN: Header -->
<!-- END: Header -->
<!-- begin::Body -->
<div class="m-grid__item m-grid__item--fluid m-grid m-grid--ver-desktop m-grid--desktop m-body">
<!-- BEGIN: Left Aside -->
<!-- END: Left Aside -->
<div class="m-grid__item m-grid__item--fluid m-wrapper">
<form name="form1" id="form1">
Name: <input type="name" name="username" id="username"/><br/>
Password: <input type="password" name="password" id="password"/><br/>
<input type="button" value="Submit" name="btn_submit" id="btn_submit"/>
<!-- end:: Body -->
<!-- begin::Footer -->
<!-- end::Footer -->
<!-- end:: Page -->
<!-- begin::Scroll Top -->
<!-- end::Scroll Top -->
<!-- begin:: Script -->
var formPath = '{{ route('test123') }}';
headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
var formData = $('#form1').serialize();
<!-- end:: Script -->
<!-- end::Body -->
Upvotes: 3
Views: 2392
Reputation: 655
Use this in the head section HTML:
<meta name="csrf-token" content="{{ csrf_token() }}" />
And in your ajax used it in data:
$.ajaxSetup({ headers: { 'X-CSRF-TOKEN': jQuery('meta[name="csrf-token"]').attr('content') } });
Please refer Laravel Documentation CSRF Protection
Upvotes: 3