419 Page Expired In Laravel Even after adding CSRF token

Question

I am working on a Laravel 8 Framework, I have added the application on the live Cpanel server and then it started showing below Error:

419 PAGE EXPIRED

I know generally missing CSRF token will be the main issue but in this, I have added the CSRF token, I am using LARAVEl blade syntax so adding LARAVEL blade form syntax the "Token" (CSRF) will get added directly.

 {{ Form::open( [ "url" => \URL::route("front.login.check"), "autocomplete"=>false,"id" => "login_form" ] ) }}

This will add the CSRF automatically, I have tried adding directly, But every POST request end up on the 419 PAGE EXPIRED page.

What do I have checked already?

• CSRF Token Is not missing in the Form
• I have checked middleware also but this request did not reach the middleware after form submit it will take to the 419 page
• Also try to php artisan cache:clear and dump-autoload command but the issue is still.
• Added 755 permission to storage, vendor and cache folder also.

Please help me on this What next should I need to check for solve this issue?

Answer 1

This may be an edge case, but if you're using the database driver and something other than normal incrementing IDs for your user IDs (i.e, ULIDs or UUIDs), make sure the user_id field in the sessions table reflects the correct format for your user IDs.

Answer 2

Laravel "419 Page Expired" Error Troubleshooting Steps

Apply/go through all steps up to "step 12" BEFORE testing your application for this error.

1. Increase your session expiration time (I.e. 24 hours).
2. Make sure that the "session domain" is the same as the "app URL".
3. Ensure that the session cookies are sent back to the server for both "HTTP" & "HTTPS" browser connections.

.env file contents applying the above 3 steps.

Change myapp.local to your application domain.

APP_URL="http://myapp.local"
SESSION_LIFETIME=1440
SESSION_DOMAIN=myapp.local
SESSION_SECURE_COOKIE=false

4. Make sure you submit a CSRF token along with your (PUT/POST/DELETE/etc.) HTTP requests.

• (I.e: Ensure that this request parameter is submitted along with your HTML form requests <input type="hidden" name="_token" value="{{ csrf_token() }}" />).
• If in case you make AJAX requests in your application, you may configure ALL AJAX requests to send the CSRF token at all times.
  • Add this "<meta> tag" inside the <head> tag of all your master VIEW templates/layouts. I.e: resources/views/layouts/app.blade.php and resources/views/layouts/guest.blade.php and resources/views/welcome.blade.php
    • <meta name="csrf-token" content="{{ csrf_token() }}">
  • Then, define the required HTTP request headers and recompile your app's static assets (npm run dev). resources/js/app.js

$.ajaxSetup({
    headers: {
        "X-CSRF-TOKEN": $('meta[name="csrf-token"]').attr("content"),
        "X-Requested-With": "XMLHttpRequest"
    }
});

5. Regenerate your application key automatically. (I.e: php artisan key:generate).
6. Clear your application cache. (I.e: php artisan cache:clear).
7. Confirm that the application caller has read & write permissions in the application's "sessions" & "cache" folder. (I.e: chmod -R 755 storage && chmod -R 755 "storage/framework/sessions" && chmod -R 755 "bootstrap/cache").

Addendum 1:

8. If in case you have Laravel Sanctum installed and enabled, add your application domain among the whitelist of "sanctum stateful domains".

.env file contents

Change myapp.local to your application domain.

SANCTUM_STATEFUL_DOMAINS="myapp.local"

Addendum 2:

9. Ensure that your "session driver" isn't empty. The default value is "file".

.env file contents

SESSION_DRIVER=file

Addendum 3:

10. Disable the browser cache. This may be beneficial during your development process.

11. Open your web browser, navigate to your application's home page, reload the current page, ignoring cached content. (I.e: On Windows: Shift + F5 or Ctrl + Shift + r and on Mac: ⌘ + Shift + r).

12. TEST YOUR APP! Check if you still receive the error.

Addendum 4 (Optional):

Only perform the steps below if you reached step 12 and are still having the same error.

A. Clear ALL web browser cache & cookies. TEST YOUR APP!

B. Open an entirely different web browser and test again. If you've been using Google Chrome / Safari all along, try testing using Firefox. TEST YOUR APP!

C. Restart your computer and test again. TEST YOUR APP!

Answer 3

This can also happen when you have the SESSION_SECURE_COOKIE flag set to true and then your request is made under an unsecure connection for example you access your application over http://yourdomain.com instead of https://yourdomain.com. The set-cookie header will be blocked because its received under an unsecure connection hence leading to the above session problem.