Laravel page expired 419 on mobile

Question

I think that at this point I'm able to tell you the author name and accurate posting date for this question elsewhere online if you give me a piece of the error description related to Laravel's Page Expired 419 on mobile phones.

• I found users are experiencing friction with the login page of my app while using mobile phones. Oftentimes it gives an error 419, page expired. Needless to say the csrf token is there. It also works like a charm on desktop.
• I stumbled upon an older bug in the SameSite lax implementation, and also found good reasons not to alter this (e.g. none has a default fallback to strict, and lax would be the best option from a security perspective). So I kept it that way, also thinking as the bug was admitted years ago there must be something else going on.
• I've been clearing cache, routes, and config upon each change I made. This may help, but hasn't solved the problem yet.
• I first used the file session driver, and checked permissions - those were in order but still the 419 happens.
• I've switched from file session driver to the database driver, ran the migration and seeing sessions populating the database. However, the issue still persists.

I feel it's something on the client side, or something in the config that gets activated when submitting the request, but I don't know where to look for any more. I'm using Laravel 8.75 for this project.

Answer 1

if you use saved password app for autofill. When the password field is filled by ex. by samsung saved password, the browsers automatically send the request and during that we click the submit button, then it gets a double submission and it causes an error

Answer 2

This is a csrf issue, and as i have been reading you are using laravel 8.75

`The Session Expired or 419 Page Expired error message in Laravel comes up because somewhere your csrf token verification fails which means the App\Http\Middleware\VerifyCsrfToken::class middleware is already turned on. In the form the @csrf blade directive is already added, which should be fine as well.

Then the other area to check is the session. The csrf token verification is directly involved with your session, So you might want to check whether your session driver is working or not, such as an incorrectly configured Redis might cause an issue.` ref : "https://stackoverflow.com/questions/52583886/post-request-in-laravel-error-419-sorry-your-session-419-your-page-has-exp"

Answer 3

The first piece of advice is to log all such cases so that you don't try to guess the cause. To do that, you need to implement the handle method in your app/Http/Middleware/VerifyCsrfToken.php

public function handle($request, Closure $next)
{
    try {
        return parent::handle($request, $next);
    } catch (TokenMismatchException $e) {
        Log::error('CSRF exception', [
            'session' => $request->session()->all(),
            'cookie' => $request->cookie(),
            'session_token' => $request->session()->token(),
            'request_token' => $this->getTokenFromRequest($request),
            'request_ip' => $request->ip(),
            'request_path' => $request->path(),
            'user_agent' => $request->userAgent(),
            // any other data you need
        ]);

        throw $e;
    }
}

Given that you've tried all the solutions from similar issues I can assume that users just don't close the tab with the form. The session expires and they get this error the next time they try to login. If this is the case - I can suggest adding this html tag to this page (in the head section)

<meta http-equiv="refresh" content="3600">

The content attribute specifies the number of seconds in which the page will be forced to refresh. Specify in it the lifetime of the session from your configs