Each page refresh generates new CSRF token that resolves in 419 page not found- Laravel

Question

I've encountered this problem a few days ago after i put my website to production. After login or register or any other POST request it gives me Page Not Found 419 error. On localhost everything works fine. It has already taken me more than 4 days of research and I couldn't come up with solution. It's probably related to CSRF verification but every solution there is I've already tried (unsuccesfully).

The things i did:

• after every form that has POST method i've put @csrf
• included <meta name="csrf-token" content="{{ csrf_token() }}"> in head section
• changed SESSION_DOMAIN in .env file to my production domain
• cleared browser cache followed with commands: php artisan cache:clear php artisan route:clear php artisan view:clear php artisan config:clear php artisan view:cache php artisan route:cache
• generated new APP_KEY with php artisan key:generate
• tried switching between SESSION_DRIVERS from file to database
• checked whole code for inline spacings before ?<php tag
• gave permissions 777 to www-data for whole folder (desperate act)

The main thing I've noticed is that on localhost csrf token is generated once and after page refresh stays the same when on the other hand on web server after each page refresh it changes. It looks like session can't hold those informations and results in error.

Here is my .env file

APP_NAME=Laravel
APP_ENV=production
APP_KEY=base64:s15iIzuybt78V7zZ7cHqcwCRAr1h6YfEWPArlrcqW3A=
APP_DEBUG=false
APP_URL=http://mydomain.tk

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=dbname
DB_USERNAME=root
DB_PASSWORD=dbpass

BROADCAST_DRIVER=log
CACHE_DRIVER=file
QUEUE_CONNECTION=sync
SESSION_DRIVER=file
SESSION_LIFETIME=120
SESSION_DOMAIN=http://mydomain.tk

REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
MAIL_FROM_ADDRESS=null
MAIL_FROM_NAME="${APP_NAME}"

AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=

PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1

MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"

I am using Laravel Framework in version 8.61.0 and PHP 8.0.10. Only solutions that has worked was when I commented in web section of config/Kernel.php this -> \App\Http\Middleware\VerifyCsrfToken::class. But it's not fully working and safe solution that I was looking for. So my question is, are there other approaches to debug this problem or a solutions that could help? Thanks a lot guys. If there is anything you need to know that I can provide just ask.

Answer 1

Remove http:// from your SESSION_DOMAIN.

If the value of config('session.domain') does not match your hostname, every page load will generate a new CSRF token.

So use SESSION_DOMAIN=mydomain.tk, SESSION_DOMAIN=.mydomain.tk or leave it blank.