All geek questions in one place

Larvel 5.1 Token mismatch in POST login form

I get the following error TokenMismatchException in compiled.php line 2930:

The code works on Red Hat serverwith php 5.6, I also tested this on Ubuntu serverrunning php 5.5.9, it worked fine. It also works fine locally.

It seems that in the original request GET, 2 session files are created in storage/framework/sessions, which means the form is submitted through POST, then the session is different.

I checked for

  • Redirection
  • Server Date / Time Problem
  • Configuration problems within session.phpandapp.php

The strangest thing GETis that 2 session files are created in the request .

As soon as you press the login button, you will be taken to middleware csrfsaying that the tokens do not match.

I am using an HTML generator for forms, which means it _tokeninstalls, so it does not need to be done manually.

Form code

{!! Form::open(['action' => 'Auth\AuthController@login']) !!}

<div class="panel">

    <div class="panel-title">
        Login
    </div>

    <div class="panel-body">

        <div class="grid">

            <div class="grid-2-4 grid-prepend-1-4 grid-append-1-4">

                @include('shared._errors')

                <div class="field">
                    {!! Form::label('username', 'Employee username') !!}
                    {!! Form::text('username') !!}
                </div>

                <div class="field">
                    {!! Form::label('password', 'Password') !!}
                    {!! Form::password('password') !!}
                </div>

                <div class="actions">
                    {!! Form::submit('Login', ['class' => 'button large']) !!}
                </div>

            </div>

        </div>

    </div>

</div>

{!! Form::close() !!}

Session Configuration

<?php

return [

    /*
    |--------------------------------------------------------------------------
    | Default Session Driver
    |--------------------------------------------------------------------------
    |
    | This option controls the default session "driver" that will be used on
    | requests. By default, we will use the lightweight native driver but
    | you may specify any of the other wonderful drivers provided here.
    |
    | Supported: "file", "cookie", "database", "apc",
    |            "memcached", "redis", "array"
    |
    */

    'driver' => env('SESSION_DRIVER', 'file'),

    /*
    |--------------------------------------------------------------------------
    | Session Lifetime
    |--------------------------------------------------------------------------
    |
    | Here you may specify the number of minutes that you wish the session
    | to be allowed to remain idle before it expires. If you want them
    | to immediately expire on the browser closing, set that option.
    |
    */

    'lifetime' => 45,

    'expire_on_close' => true,

    /*
    |--------------------------------------------------------------------------
    | Session Encryption
    |--------------------------------------------------------------------------
    |
    | This option allows you to easily specify that all of your session data
    | should be encrypted before it is stored. All encryption will be run
    | automatically by Laravel and you can use the Session like normal.
    |
    */

    'encrypt' => false,

    /*
    |--------------------------------------------------------------------------
    | Session File Location
    |--------------------------------------------------------------------------
    |
    | When using the native session driver, we need a location where session
    | files may be stored. A default has been set for you but a different
    | location may be specified. This is only needed for file sessions.
    |
    */

    'files' => storage_path('framework/sessions'),

    /*
    |--------------------------------------------------------------------------
    | Session Database Connection
    |--------------------------------------------------------------------------
    |
    | When using the "database" or "redis" session drivers, you may specify a
    | connection that should be used to manage these sessions. This should
    | correspond to a connection in your database configuration options.
    |
    */

    'connection' => null,

    /*
    |--------------------------------------------------------------------------
    | Session Database Table
    |--------------------------------------------------------------------------
    |
    | When using the "database" session driver, you may specify the table we
    | should use to manage the sessions. Of course, a sensible default is
    | provided for you; however, you are free to change this as needed.
    |
    */

    'table' => 'sessions',

    /*
    |--------------------------------------------------------------------------
    | Session Sweeping Lottery
    |--------------------------------------------------------------------------
    |
    | Some session drivers must manually sweep their storage location to get
    | rid of old sessions from storage. Here are the chances that it will
    | happen on a given request. By default, the odds are 2 out of 100.
    |
    */

    'lottery' => [2, 100],

    /*
    |--------------------------------------------------------------------------
    | Session Cookie Name
    |--------------------------------------------------------------------------
    |
    | Here you may change the name of the cookie used to identify a session
    | instance by ID. The name specified here will get used every time a
    | new session cookie is created by the framework for every driver.
    |
    */

    'cookie' => 'geeksquad_form_session',

    /*
    |--------------------------------------------------------------------------
    | Session Cookie Path
    |--------------------------------------------------------------------------
    |
    | The session cookie path determines the path for which the cookie will
    | be regarded as available. Typically, this will be the root path of
    | your application but you are free to change this when necessary.
    |
    */

    'path' => '/',

    /*
    |--------------------------------------------------------------------------
    | Session Cookie Domain
    |--------------------------------------------------------------------------
    |
    | Here you may change the domain of the cookie used to identify a session
    | in your application. This will determine which domains the cookie is
    | available to in your application. A sensible default has been set.
    |
    */

    'domain' => '.'.config('app.domain'),

    /*
    |--------------------------------------------------------------------------
    | HTTPS Only Cookies
    |--------------------------------------------------------------------------
    |
    | By setting this option to true, session cookies will only be sent back
    | to the server if the browser has a HTTPS connection. This will keep
    | the cookie from being sent to you if it can not be done securely.
    |
    */

    'secure' => false,

];

If there is anything else that would be helpful, let me know.

+4
source share
1 answer

Finally, I got to the bottom of the problem.

This is associated with this line in the configuration file session.php.

'domain' => '.'.config('app.domain')

This line gets the domain from the file config.php, which in turn gets it from the file .env.

Ubuntu and Locally at Homestead, which also Ubuntu works flawlessly.

However, on Red Hat, this does not work at all. Changing the line that will be 'domain' => '.'.env('APP_DOMAIN'), and voilà everything is right with the world, and TokenMissmatch is gone.

+4
source

Source: https://habr.com/ru/post/1616352/

More articles:


All Articles