419 page expired error in Laravel

419 page expired Laravel error occurs when the valid CSRF token missing in the post request or when the page takes too long to send the post request which leads to expiring the CSRF token.

CSRF or Cross-Site Request Forgery is a type of malicious exploit whereby unauthorized commands are performed on behalf of an authenticated user. Laravel Framework has an internal mechanism for CSRF protection that is enabled by default for all POST, PUT, PATCH, and DELETE requests within web routes. A CSRF Token is a secret value a server generated by the server and checked in the subsequent HTTP POST, PUT, PATCH, and DELETE requests made by the client.

To solve 419 page expired error in laravel, we have to use the CSRF token in our post requests. The below example code shows how to use CSRF token in the form to make a POST request.

<form action="/save" method="POST">
	@csrf
	<input type="text" name="name"/>
	<button type="submit">Save</button>
</form>

The blade template has a built-in directive @csrf that will generate a hidden HTML input containing the token. The @csrf directive should be added inside the <form> tag. @csrf is equivalent to:

<input type="hidden" name="_token" value="{{ csrf_token() }}" />

For an ajax request, the solution is a little different. We are adding CSRF token in the header of the ajax requests. For this first we we add csrf_token in the meta tag as given below example.

<head>
    <meta name="csrf-token" content="{{ csrf_token() }}" />
</head>
<script>
	function sendPostRequest(){
		var data = {
			name: $("#name").val()
		};
		var headers = {
    		'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
		}

		$.ajax({
    		url: "/save",
    		type: "post",
    		headers: headers,
    		data: data,
    		success:function(res){
    			
    		}
		});
	}
</script>

Then we took the token from the meta tag and added to the header of the ajax request.

Disabling CSRF Protection for some routes

The App\Http\Middleware\VerifyCsrfToken middleware was included in the web middleware group by default. So this middleware will automatically check all POST requests in web routes and verify that the token in the request matches the token stored in the session. When these two tokens match, we know that the request was initiated by an authenticated user.

In some cases, we may want to exclude a set of routes from CSRF protection. For example, if we are working with Stripe for payments and we may be utilizing their webhook system. In this scenario, we will need to exclude the Stripe routes from CSRF protection.

We can disable CSRF protection for route groups or specific routes in laravel. For this open App\Http\Middleware\VerifyCsrfToken middleware. In the VerifyCsrfToken.php file, we can add route groups or specific routes in an array to be excluded from CSRF protection in the $except array variable. 

// /app/Http/Middleware/VerifyCsrfToken.php
class VerifyCsrfToken extends Middleware
{
    protected $except = [
        'payments/*',  // exclude all URLs with prefix payment/
        'product/add' // exclude exact URL
    ];
}

Conclusion

CSRF protection is enabled by default for all POST requests within web routes in laravel. We have to pass the CSRF Token generated by the server along with all post requests and it will be verified by VerifyCsrfToken middleware. The blade directive @csrf will generate a hidden HTML input containing the token inside the form. 

Related Blogs

laravel sort by pivot table field

Laravel Order by Pivot Table Field

Learn how to order results by pivot table field in eloquent. Two methods 1) using orderBy in Eager loading 2) Using orderByPivot in lazy loading

Limit Text in Laravel

Limit Text in Laravel

Limit text in Laravel can be done using the Str class from Illuminate\Support\Str namespace for truncating text by character count and word count.

Delete an element from an array in PHP

Delete an element from an array in PHP

To delete an element from an array in PHP, use built-in functions unset(), array_splice(), or array_diff(). Learn how to delete elements using these functions.

Create Multiple Where Clause Query Using Laravel Eloquent

How to create multiple where clause query using Laravel eloquent

Multiple where clauses can create by chaining the where() method. You can use orWhere, whereNot, etc to create complex where queries in Laravel Eloquent.

What's New in PHP 8

What's New in PHP 8(Features, Changes, Security & JIT compiler)

PHP 8 new features and functions include named arguments, union types, attributes, constructor property promotion, match expression, nullsafe operator, Saner string to number comparisons, Saner Numeric Strings, and JIT Compiler.

Regular Expression

Most Common Regular Expressions - email, URL, strong password, credit cards, number systems and dates

Regular expressions for email, URL, strong password, credit cards, number systems, dates and more.

Adjacent JSX elements must be wrapped in an enclosing tag

Adjacent JSX elements must be wrapped in an enclosing tag

The "Adjacent JSX elements must be wrapped in an enclosing tag" error can be solved by wrapping the multiple elements in a parent div or in a react fragment

Only expressions, functions or classes are allowed as the default export

Only expressions, functions or classes are allowed as the default export

The error “Only expressions, functions or classes are allowed as the default export” occurs when we try to export default statements or variable declarations.

call-stack-in-javascript

What is Call Stack in JavaScript

JavaScript Call Stack is a mechanism to keep track of multiple function calls and manage execution context. This article describes how the call stack works with examples.