How to solve "CSRF Token Mismatch" in Laravel

Stefan Izdrail

Founder & Senior Architect · 2026-06-29

Laravel Company
Title: Solving "CSRF Token Mismatch" Errors in Laravel Applications Across Domains Introduction: As a Laravel developer, you've encountered the dreaded "CSRF token mismatch" error that often occurs when hosting an application on a new domain. While the issue might seem challenging at first, understanding the root cause and implementing solutions can help prevent it from occurring again. In this blog post, we will delve into the causes of CSRF token mismatches and provide step-by-step instructions to resolve this issue in your Laravel applications across domains. I. Understanding the "CSRF Token Mismatch" Error When a user submits an HTTP request to a web application, a CSRF (Cross-Site Request Forgery) token is generated and sent along with the request to ensure that the origin of the request matches the actual user's session. Laravel's CSRF token system uses a random number in each session to validate requests made from that user. II. Common Causes of "CSRF Token Mismatch" Errors There are three main reasons for encountering this error across domains: 1. Session mismatch: A session might be created on the host domain for one user, while an older session is still present in a different browser tab or window, leading to duplicate tokens. This can happen due to unfinished sessions from previous work, multiple devices, or incognito windows. 2. Cookie issues: The browser doesn't send cookies for a specific domain as part of the request, causing the server to receive an invalid token value (or no token at all). 3. Session file corruption: In a multi-user environment, when sessions are stored in files, and multiple users accessing the same application simultaneously, session files may get corrupted or lost due to concurrency issues. III. Steps to Resolve "CSRF Token Mismatch" Errors 1. Check CSRF token generation: Ensure that Laravel's CSRF token is being generated and sent with the request correctly. You can use a browser debugging tool like Chrome DevTools to inspect requests, verify if the X-XSRF-TOKEN header is present and contains the same value as the meta tag in your application. 2. Clear browser caches: In case of duplicate sessions or stale cookies, clear browsers' cache and restart them. You can also set the SESSION_LIFETIME to a shorter duration, but that might lead to multiple logins for a single session. 3. Use a reliable storage mechanism: To avoid session file corruption issues, use a more robust storage method like database or Redis. These methods provide better concurrency management and ensure data integrity. Make sure your server settings are optimized for these storage solutions as well. 4. Ensure correct configuration: Verify the SESSION_DRIVER setting in your env file is set to a secure driver (like "file" or "database"). Check if the value of SESSION_LIFETIME is reasonable and consistent across environments. 5. Avoid concurrency issues: If you have multiple users accessing the application simultaneously, use database transactions with session locks to manage concurrency. This will ensure that a single user's sessions are not affected by others. IV. Conclusion CSRF token mismatches can be troublesome when hosting your Laravel application across domains due to various underlying causes. By understanding the nature of this error and employing the solutions mentioned above, you can successfully resolve them and maintain the security of your web application. Remember to monitor your application closely for any unusual behavior or errors that might occur in different environments.