Login laravel Trying to get property of non-object
Stefan Bogdanescu
Founder & Senior Architect · 2026-06-29
Debugging Authentication Failures in Laravel: Solving the "Trying to get property of non-object" Error
As a senior developer working with the Laravel ecosystem, we frequently encounter confusing errors during authentication flows. The issue you are facing—being redirected without seeing the expected view, accompanied by the cryptic Trying to get property of non-object error within the CSRF token handling—points directly to a subtle breakdown in how session or request objects are being accessed during a redirection process.
This post will dissect the symptoms you provided, diagnose the root cause of the error in your Laravel setup, and provide concrete steps to resolve this authentication conundrum. We will look closely at the interaction between your route handling, authentication guards, and the CSRF token mechanism.
Understanding the Error Context
You report that accessing /admin redirects correctly to /admin/login, but you cannot see the intended view, and you receive an error: Trying to get property of non-object in VerifyCsrfToken.php (line 156).
This specific error within the CSRF token verification mechanism indicates that a method is attempting to read a property (like $request->session()->token()) from a variable that does not hold an object reference—it’s likely null. In the context of Laravel, this usually means that the session or request object expected by the underlying framework components (like those in VerifyCsrfToken.php) is missing or hasn't been properly initialized when the redirection logic is executed.
Deconstructing the Code Flow
Let’s examine the code snippets you provided to understand where the disconnect might be occurring.
The Redirect Logic (RedirectIfAuthenticated.php)
// Handler function on RedirectIfAuthenticated.php
public function handle($request, Closure $next, $guard = null)
{
switch($guard){
case 'admin':
if (Auth::guard($guard)->check()) {
return redirect()->route('admin.dashboard');
}
break;
default:
if (Auth::guard($guard)->check()) {
return redirect('/');
}
break;
}
}
This logic correctly checks if a specific guard (admin) is authenticated. If the check fails, it redirects. While this flow looks correct for basic authentication checks, the error suggests that when Laravel attempts to execute the subsequent steps (like setting cookies for CSRF tokens) during this redirect sequence, the necessary session context might be corrupted or missing because the request state was altered unexpectedly by a preceding middleware or route definition.
The Cookie Setting Failure
$response->headers->setCookie(
new Cookie(
'XSRF-TOKEN', $request->session()->token(), Carbon::now() - getTimestamp() + 60 * $config['lifetime'],
$config['path'], $config['domain'], $config['secure'],
false
)
);
The failure happens here because $request->session() is likely returning null or an object that cannot be properly accessed, leading to the fatal error when trying to call ->token(). This strongly implies a session dependency issue.
The Root Cause: Middleware and Session Initialization
In Laravel applications, especially those involving custom route groups (like /admin), the most common cause for this type of error is an improper sequence or conflict between authentication middleware, session handling, and the specific routes being accessed.
It appears that when you hit the /admin route, the system attempts to execute the redirection logic before the session data required for CSRF token generation (which happens during a successful login) has been fully established or passed through correctly into the subsequent redirection handler.
Solution: Ensuring Session Context is Available
To fix this, we need to ensure that when authentication checks occur, the session environment is robustly handled. While your custom logic in RedirectIfAuthenticated seems fine, the issue often lies upstream.
1. Verify Session Guards: Ensure that all necessary session drivers are correctly configured and accessible across your application. In large applications, understanding how Laravel manages sessions is crucial; for instance, examining configuration details related to session handling can be very beneficial when debugging state issues, much like understanding Eloquent relationships is vital when working with data persistence on https://laravelcompany.com.
2. Review Middleware Order: Check the middleware stack applied to your /admin routes. If you have custom middleware that manipulates the request or session before the standard authentication checks run, it can disrupt the flow required by VerifyCsrfToken. Ensure that standard Laravel authentication middleware runs first and correctly initializes the session object.
3. Simplify Redirection Checks (Best Practice): Instead of relying solely on complex switch statements in redirect handlers for basic auth checks, ensure you are utilizing Laravel’s built-in route protection features where possible. If you are using Laravel Breeze or Jetstream scaffolding, these systems usually handle the session initialization automatically.
Conclusion
The Trying to get property of non-object error during an authentication redirection is rarely a bug in the core framework itself but rather a symptom of improperly managed state, specifically related to session objects, when custom logic interacts with Laravel's built-in CSRF token validation. By carefully reviewing the order of your middleware and ensuring that all necessary session context is initialized before any attempt to access $request->session(), you can resolve this issue. Focus on verifying how your custom redirection handler interacts with the standard authentication pipeline, keeping in mind robust state management as you build scalable applications on Laravel.