Laravel 5 and Internet Explorer : Token Mismatch

Question

My Laravel5 website uses csrf tokens to prevent CSRF attacks. On Chrome and Firefox, eveything works fine.

I submitted the site for my client to test and, when he uses Internet Explorer (9/10), he has "Token mismatch" errors on evey page using the token.

I assume it is a cookie/session issue.

After some research, I tried removing the slash in the cookie name ("laravel_session"), and changing the session driver ("file" by default). It didn't help.

I know my client could change its "trust policies" in IE but it's a public site and this would only be a temporary solution.

Any thoughs on that weird issue?

Answer 1

I had the same problem and what fixed it for me was to edit my .htaccess expire settings to:

<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault A0
    ExpiresByType text/html A0
    # Set up caching on media files for 1 year
    <FilesMatch "\.(jpg|png|gif|js|css|ico|woff|woff2|eot|svg|ttf)$">
        ExpiresDefault A31536000
    </FilesMatch>
</IfModule>

Before, my ExpiresDefault was A31536000 and I did not have the ExpiresByType text/html.

Answer 2

I faced the same issue, and it was due to P3P error. Faced the issue on Edge (Windows 10).

I did a lot of research, and finally got it fixed.

All you have to do is create a new middleware and udpate the handle function to,

public function handle($request, Closure $next)
{
    $response = $next($request);
    $response->header('P3P', 'CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');
    return $response;
}

Explained it in detail at

https://robinz.in/csrf-token-session-error-with-laravel-on-ie-edge/

Answer 3

I am not sure about your case. But I just encountered same issue today. Only IE got problem. FF and chrome works fine.

I then realize that it's the time/date at the server is wrong. Set the server to current date, then everything is working now.

I guess it's because the server will set cookie expiration according to its own time, and at the client, IE will delete the cookies immediately if the server lags behind. Just my guess.

Hope it can solve your case too. Good luck.

Answer 4

In my case the problem was the server time. I read somewhere that if the server time is older than the client, IE clear the cookies. Then I notice that the server time here was 8 hours late. After fixing this, the Token Mismatch Error disappear.