Laravel csrf token mismatch for ajax post request

It usually happens when the tokens don't match in both sessions and are sent and received in requests.
A CSRF token keeps Laravel safe from attacks that try to get it to make requests from other websites.

Common Reasons for CSRF Token Mismatch 

Here are the most common reasons why developers run into this error:

• The request did not include a token.
• The session has ended.
• The cookie domain or path doesn't match.
• The token is not being sent with the AJAX request.
• Old pages are stored in the browser's cache.
• Settings for the session driver are wrong
• Problems with HTTPS cookies
• Incorrect setup of middleware
• Problems with permissions in Laravel storage folders

CSRF Token Not Sent in the Request:

Make sure your forms have the CSRF token in them. The @csrf blade directive can be used in your form.

<form method="POST" action="/your-route">
 @csrf 
</form>

You have to put the CSRF token in the request header for AJAX requests. You can save the token in a meta tag:

<meta name="csrf-token" content="{{ csrf_token() }}">

And put it in the headers of your AJAX request:

$.ajaxSetup({ headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') } });

Expired Session:

The CSRF token will also expire if the user's session has ended. Make sure that the lifetime of your session is set up correctly in config/session. php.

To fix this, check the session lifetime in:

config/session.php

Look for:

'lifetime' => 120,

If you need to, raise it. Make sure that the configuration for Redis or database sessions matches the environment on your server.

Session Domain/Path Not Matching:

Ensure that your session cookie's domain and path are correctly set in config/session. php. Incorrect settings can lead to the browser not sending the cookie.

If your Laravel app runs on subdomains like

example.com
app.example.com
admin.example.com

You must set the correct cookie domain.

In config/session.php:

'domain' => '.example.com',
Misconfigured domains prevent cookies from being sent, causing a token mismatch.

Cache Issue:

Sometimes, a cached page might be serving an old CSRF token. Make sure your forms are not being cached, or clear the cache if necessary.

Middleware Configuration:

VerifyCsrfToken middleware is correctly configured in the project app/Http/Kernel.php. 

Testing Environments:

If you're running automated tests, you might want to disable CSRF protection for testing routes. You can do this in the App\Http\Middleware\VerifyCsrfToken class by adding the routes to the $except array.

Browser Cookies:

Sometimes, the issue can be on the client side, with the browser not properly handling cookies. Clearing the browser's cookies and cache can sometimes resolve this issue.

Fix:
Disable caching on forms
Clear browser cache
Add headers to prevent caching

Example:
header("Cache-Control: no-cache, no-store, must-revalidate")
1. File Permissions:

Make sure that the web server can write to your storage and bootstrap/cache directories and that they have the right permissions.

Driver for the session:

Check out your .env and config/session.php files to find out how your session driver is set up. If you are using file sessions, make sure that the storage path is writable. Check to see if the session table is there and set up right for database sessions.

Problems with HTTPS:

Make sure that cookies have the Secure attribute set if your application is served over HTTPS. You can set this up in config/session. PHP.

If you've checked all of these and are still having problems, it might be a good idea to look at the Laravel logs for more detailed error messages or stack traces that can help you figure out what's going on.