Laravel csrf token mismatch for ajax post request

Error "CSRF Token Mismatch" commonly occurs if tokens do not match in both sessions and sent

, and received requests.CSRF token helps Laravel to protect from cross-site request forgery attacks.

Common Causes of CSRF Token Mismatch

Here are the most frequent reasons developers encounter this error:

• Token not included in the request

• Session expired

• Mismatched cookie domain or path

• AJAX request not sending token

• Browser caching old pages

• Incorrect session driver settings

• HTTPS cookie issues

• Middleware misconfiguration

• Permission issues in Laravel storage directories

CSRF Token Not Sent in the Request:

Ensure that the CSRF token is included in your forms. You can use @csrf blade directive in your form.

<form method="POST" action="/your-route">
 @csrf 
</form>

For AJAX requests, you need to include the CSRF token in the request header. You can use a meta tag to store the token:

<meta name="csrf-token" content="{{ csrf_token() }}">

And include it in your AJAX request headers:

$.ajaxSetup({ headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') } });

Expired Session: 

If the user's session has expired, the CSRF token will also expire. Ensure that your session lifetime is appropriately configured in config/session.php.

To fix this, check the session lifetime in:

config/session.php

Look for:

'lifetime' => 120,

Increase it if necessary. If you are using Redis or database sessions, ensure the configuration matches your server environment.

Mismatched Session Domain/Path:

Ensure that your session cookie's domain and path are correctly set in config/session.php. Incorrect settings can lead to the browser not sending the cookie.

If your Laravel app runs on subdomains like:

example.com
app.example.com
admin.example.com

You must set the correct cookie domain.

In config/session.php:

'domain' => '.example.com',
Misconfigured domains prevent cookies from being sent, causing token mismatch.

Cache Issue:

Sometimes, a cached page might be serving an old CSRF token. Make sure your forms are not being cached, or clear the cache if necessary.

Middleware Configuration:

VerifyCsrfToken middleware is correctly configured in project app/Http/Kernel.php. 

Testing Environments: 

 If you're running automated tests, you might want to disable CSRF protection for testing routes. You can do this in the App\Http\Middleware\VerifyCsrfToken class by adding the routes to the $except array.

Browser Cookies:

Sometimes, the issue can be on the client side with the browser not properly handling cookies. Clearing the browser's cookies and cache can sometimes resolve this issue.

Fix:
Disable caching on forms
Clear browser cache
Add headers to prevent caching

Example:
header("Cache-Control: no-cache, no-store, must-revalidate")
1. File Permissions:

Ensure that your storage and bootstrap/cache directories have the correct permissions and are writable by the web server.

Session Driver:

Check your session driver configuration in .env and config/session.php. If you're using file sessions, ensure the storage path is writable. For database sessions, ensure the session table exists and is correctly structured.

HTTPS Issues:

If your application is served over HTTPS, ensure that the Secure attribute is set for cookies. You can configure this in config/session.php.

If you've checked all these and are still facing issues, it might be helpful to look at the Laravel logs for more specific error messages or stack traces that can provide further insights into the problem.