I created an easy to use API to help businesses do incredible things with AI.
Laravel Security

Here's how to fix the "419 Page Expired" error in Laravel

Benjamin Crozat
Modified on Aug 30, 2024 9 comments Edit on GitHub
Here's how to fix the "419 Page Expired" error in Laravel

Introduction to the “419 Page Expired” error in Laravel

Have you ever encountered the “Page Expired” error with the HTTP code 419 in your Laravel applications?

It’s often a simple issue related to CSRF (Cross-Site Request Forgery) tokens.

Let’s find out what causes this error and how you can resolve it.

Why “419 Page Expired” happens and how to fix it

In your Laravel applications, regardless of the version you’re running (8, 9, or 10), you have likely used the @csrf directive in your forms.

This directive generates a hidden input field containing a CSRF token, which is included when submitting the form.

This token confirms that the form is being submitted from your application and not by a third party.

Errors like the “419 Page Expired” occur when the CSRF token is mismatched. This can happen for various reasons:

  • Sometimes, you leave the page open for too long (a login page, for instance), and the token expires, which is good for security. Just click the refresh button in your browser and re-submit the form.
  • You might have forgotten to include the @csrf directive in your form. This is problematic because, by default, Laravel expects the CSRF token to be present thanks to the VerifyCsrfToken middleware that filters the requests.
  • The session might have expired, causing the CSRF token to become invalid.
  • There could be issues with cookie settings or session configuration.

To fix this error:

  1. Always include the @csrf directive in your forms.
  2. Ensure your session and cookie configurations are correct.
  3. If the error persists, try clearing your browser cache and cookies.
  4. Check if your web server is properly configured to handle Laravel sessions.

Learn more on Laravel’s documentation about Cross-Site Request Forgery protection.

Disable CSRF protection on some pages to avoid the “419 Page Expired” error

Occasionally, you may want to disable CSRF protection on some pages and prevent those “419 Page Expired” errors.

Instead of removing the middleware from the kernel, specify which pages you want to exclude from being protected.

In app/Http/Middleware/VerifyCsrfToken.php:

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;

class VerifyCsrfToken extends Middleware
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array<int, string>
     */
    protected $except = [
        '/some-page',
        '/some-other-page',
    ];
}

9 comments

nsubramkavin
nsubramkavin 5mos ago

Thanks. 419 issue resolved after adding /login page in protected list of VerifyCsrfToken

Benjamin Crozat
Benjamin Crozat 5mos ago

That's great, but I don't recommend that. A login page must be secure. 🙂

nsubramkavin
nsubramkavin 5mos ago

ok. got you. Seems to be a necessary evil.

jmakinin
jmakinin 4mos ago

I'm facing same 419 page expired issue but mine is a Laravel 11 API, I'm using postman and understand I have to make a pre-request to /sanctum/csrf-token for the x-xsrf-token, but that request returns an empty response and I'm not sure what to try now. the documentation does not touch on this for APIs.

Benjamin Crozat
Benjamin Crozat 4mos ago

Have you tried following the documentation from the start again? I find it weird that /sanctum/csrf-token has no effect. What's the HTTP code? 419 there too?

Also, when you run php artisan route:list you will see which controller is associated with /sanctum/csrf-token. Maybe put a dd() there. That's how you make sure you're actually hitting the route.

Marcello Pato
Marcello Pato Modified 4mos ago

What if the 419 appears just for me? All my colleagues can log in from theirs house's, but I can't even though I have restarted my network modem...

Benjamin Crozat
Benjamin Crozat 4mos ago

This error has nothing to do with your location or your network. 🙂

Ayax Córdova
Ayax Córdova Modified 4mos ago

There might be something related to your cookies, your browser possibly restricts cookies.

As Benjamin said:

This error has nothing to do with your location or your network

So, please check your browser configuration and see if there's something odd, or try to delete the old cookie, this might solve your problem.

RICKY SUTANTO
RICKY SUTANTO 1w ago

Hi @Benjamin, how we replace the error page 419 with notification? I want make the error popup more nice than default laravel error page.

Get help or share something of value with other readers!

Great deals for enterprise developers
  • Summarize and talk to YouTube videos. Bypass ads, sponsors, chit-chat, and get to the point.
    Try Nobinge →
  • Monitor the health of your apps: downtimes, certificates, broken links, and more.
    20% off the first 3 months using the promo code CROZAT.
    Try Oh Dear for free
  • Keep the customers coming; monitor your Google rankings.
    30% off your first month using the promo code WELCOME30
    Try Wincher for free →
The latest community links
- / -