In laravel 5.3 when i logout from admin i got "TokenMismatchException"

Question

In laravel 5.3, I can submit a form from my project when i logged in admin but when I logout from admin and submit the same form without refresh the page I get a TokenMismatchException.

My route:

Route::group(['prefix' => 'admin', 'middleware' => ['backend']], function()
{
    Route::get('logout', 'Auth\LoginController@logout')->name('user.logout');
});

My Form:

{!! Form::open(['route' => ['contactus.store'], 'method'=> 'POST', 'id' => 'contact_us_form']) !!}

    <?php echo Form::text('name', NULL, ['placeholder' => 'name', 'class' => 'form-control', 'id' => 'name']); ?>

{!! Form::close() !!}

Possible duplicate of [What is the right way to resolve token mismatch error in laravel?](https://stackoverflow.com/questions/45223087/what-is-the-right-way-to-resolve-token-mismatch-error-in-laravel) — online Thomas, Jul 24 '17 at 14:46

score 1 · Answer 1 · answered Jul 24 '17 at 15:04

If i understood correctly the problem:

You are logged in as user 'admin';
You go the form page;
You logout from admin user;
Without refreshing the form page, you submit the form and get the TokenMismatchException

In that case, this is the expected behaviour. From the docs:

This token is used to verify that the authenticated user is the one actually making the requests to the application.

When you logout, your CSFR become invalid: that's why you need to refresh the page.

You can disable them for specific URIs by modifying the $except property in VerifyCsrfToken.php:

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        'your/route',
    ];
}

is it possible to add route in $except array? like this route('route-to-something'); ? — wahdan, Jul 24 '17 at 18:46
no, you can't put something to evaluate when assigning value to a property outside a function, only constants — gbalduzzi, Jul 25 '17 at 15:26

score 0 · Answer 2 · answered Jul 24 '17 at 14:54

0

Tokens are there SPECIFICALLY to stop you posting the same form TWICE. If you don't want that behaviour, remove the CSRF token from your form.

answered Jul 24 '17 at 14:54

delboy1978uk

12,118
2
21
39

i am opening two tabs when i logout from tab my token will be destroyed , if i returned to the second tab which has the form (without refreshing it ) and submitting the form it will give me this error – Rana Jul 24 '17 at 15:00
That's kind of expected behaviour! – delboy1978uk Jul 24 '17 at 15:13
@delboy1978uk Do you think its better to show the error message to the user? – wahdan Jul 24 '17 at 18:44
If the error message is only something a dev would understand then use a friendlier message – delboy1978uk Jul 25 '17 at 07:40

score 0 · Answer 3 · answered Jul 24 '17 at 14:56

0

First, you don't need to care token when the request is GET.
Second, when you use POST request, you have to save token in every request and use it. The coding way depends on your coding. Thank you.

answered Jul 24 '17 at 14:56

Tiefan Ju

510
3
14

score -1 · Answer 4 · answered Jul 24 '17 at 14:43

-1

you should add

<input type="hidden" value="{{csrf_token()}}" name="_token"/>

to your logout form

answered Jul 24 '17 at 14:43

siavash mohammadi

11
2

This is not necessary since the HTML form builder `Form::open()` will do this for you – Harry Jul 24 '17 at 14:46
i don't have form in logout, it's a get action. – Rana Jul 24 '17 at 14:49

In laravel 5.3 when i logout from admin i got "TokenMismatchException"

4 Answers4