Problem: When try to send form data, login form data, registration form data, posts requests or upload images to server using application developed in Ajax, jQuery, or Laravel, you are getting a 419 Page Expired error.
An error page layout may be different between the framework versions, but the error code (419) and the error message (Page Expired) are the same. The detailed error message as below:
Status Code: 419 unknown status
Status Code: 419 unknown status
419 (unknown status)
419 (unknown status)
419 (unknown status laravel postman)
419 error ajax laravel
Uncaught (in promise) Error: Request failed with status code 419
CSRF token mismatch exception laravel ajax
Laravel 5.5: 419 unknown status
419 | PAGE EXPIRED
419 | PAGE EXPIRED
419
Sorry, your session has expired.
Please refresh and try again.
419. Sorry, your session has expired. Please refresh and try again.
419
很抱歉,您的Session已过期,请刷新后再试一次。
419。很抱歉,您的Session已过期,请刷新后再试一次。
Follow the below solution steps to resolve the 419 Page Expired or Session Expired error which works with laravel 7, 6, 5. 5.5, 5, 4 versions.
Table of Contents
Content Summary
Potential Causes
Solution 1: Check SESSION_DOMAIN Value on .env File
Solution 2: Reload/Refresh Page
Solution 3: Clear Cache and Config
Solution 4: Check CSRF Verification
Solution 5: Modify Code
Solution 6: Disable CSRF Token
Solution 7: Generate New App Key
419 HTTP status code indicates that authentication failed for a previously authenticated request or the authentication key/token has been expired. If you look at the standard HTTP status codes you will not find it there, you can somehow consider it an alternative to 401 which if status code for unauthorized. So, this means when you get a 419 Page Expired error this means the server is trying to tell you that your authentication for a particular request is expired.
According to Laravel documentation, Cross-site request forgeries (CSRF) are a type of malicious exploit whereby unauthorized commands are performed on behalf of an authenticated user. Laravel framework has a security feature that helps you in protecting your site from CSRF.
Let’s say you accessed the login page of a Laravel application in your browser and you got a call from your friend. You were busy talking to your friend and forgot about login to the application and the page stayed there for quite a while. You came back to where you left, you filled the form and submit, the error 419 Page Expired will show.
If you inspect the login form page or view source code in the browser, there is a hidden input field with a long string for CSRF token, which is responsible for protection against CSRF. Laravel automatically adds token middleware for users to prevent CSRF attacks. When you left your computer screen and was busy talking to your friend that token got expired and your request was rejected with a 419 HTTP status code.
Potential Causes
- Not sending CSRF token in your post request or in submitting the form and using verifyCSRF middleware.
- Some issues with the session.
- Taking too much time in submitting the request.
- Tampered with the hidden token field.
- Not configured session settings properly in the session config file.
- Internal framework mechanism called CSRF protection.
- CSRF Token Verification Failure
- Session Expired Due to Stale Cache
- Incorrect Laravel File and Folder Permissions
- Incorrect Laravel Session Setting
- Mismatched Laravel .env App Key
- Npm or Composer dependency conflict
- Missing CSRF token within your form
Solution 1: Check SESSION_DOMAIN Value on .env File
This often happens when you are working with different development environments. The value is being used on “config/session.php”, so you can check if there is a manual value put there by someone else in your team. Verify that configuration for domain and cookies is done properly in the session config file. Try adding SESSION_DOMAIN=mydomain.com to your .env file, then clear your cache.
If you are using the file session driver to store sessions in storage/framework/sessions, you might have permission issues with the /storage directory.
Solution 2: Reload/Refresh Page
Reload/Refresh your browser with CTRL + F5 to get a new token or you can develop an application using Javascript from time to time to refresh the token.
Solution 3: Clear Cache and Config
Check the cache and clear it by executing the below command in the terminal:
php artisan config:cache
php artisan cache:clear
This is common during local development from constantly changing configurations.
Solution 4: Check CSRF Verification
Laravel automatically generates a CSRF “token” for each active user session managed by the application. This token is used to verify that the authenticated user is the one actually making the requests to the application. Double-check if you included @csrf and the correct form method within. The directive should be added just after opening <form> tag.
<form method="POST" action="/profile">
@csrf
...
</form>
Included @csrf and the correct form method within
Or the error stems from a login, be sure to check the locally stored (browser) CSRF token against the one in the database for your account and make sure they are the same.
Alternatively, you can create a token input manually, using csrf_token() method. Outcome will be identical.
<!-- Equivalent for @csrf directive -->
<input type="hidden" name="_token" value="{{ csrf_token() }}">
Solution 5: Modify Code
Laravel 419 status error is associated with token authorization only. Add the below code in the header of the Ajax request: <meta name="csrf-token" content="{{ csrf_token() }}">
Add keep below code to your ajax call:
$.ajaxSetup({
headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
});
Solution 6: Disable CSRF Token
Close the web middleware of VerifyCsrfToken. (In the app\Http\Kernel.php directory, search the web to find VerifyCsrfToken, comment it out or delete it), and close CSRF completely.
Close the web middleware of VerifyCsrfToken completely.
Go to App\Http\Middleware\VerifyCsrfToken.php then edit the protected variable to this:
class VerifyCsrfToken extends BaseVerifier
{
// The URIs that should be excluded from CSRF verification.
protected $except = [
"/*"
];
}
‘/*’ indicated to exclude CSRF from all routes.
Solution 7: Generate New App Key
Generate a new app key which will flush the session data: php artisan key:generate