Software Development

How do I fix the "419 | Page Expired" error on POST requests in a Laravel application?

SA Asked by Samantha Reed · 14-02-2025
0 upvotes 12,987 views 0 comments
The question

I am developing a web app using Laravel 10, and every time I submit a form via a POST request, I get a "419 | Sorry, your session has expired" error page. I’ve checked my session lifetime in the config file, and it's set correctly. It happens even if I submit the form just seconds after the page loads. Is this a permission issue with the storage/framework/sessions folder, or am I missing a specific security token in my HTML form to verify the request?

3 answers

0
EM
Answered on 20-04-2025

The most common cause for a 419 error in Laravel is a missing CSRF (Cross-Site Request Forgery) token. Laravel automatically protects your application from cross-site request forgeries by checking for a token in the session and comparing it to the token passed in the request. To fix this, simply add the @csrf blade directive inside your <form> tags. This generates a hidden input field containing the required security token. If you are using AJAX, you must ensure the X-CSRF-TOKEN header is included in your request headers, usually by pulling the value from a meta tag in your HTML head.

0
BR
Answered on 25-04-2025

Does this error occur across all browsers, or have you noticed it specifically in environments where cookies might be blocked, such as incognito mode or certain Safari privacy settings?

TY 27-04-2025

Brandon, I noticed it was happening more frequently in Safari. It turned out my SESSION_DOMAIN in the .env file was set incorrectly, which prevented the session cookie from being sent back to the server. After clearing my browser cache and setting the domain to 'localhost' for my local environment, the 419 error stopped appearing. It's a good reminder that if the browser can't store the session cookie, the CSRF check will fail every single time.

0
JU
Answered on 05-05-2025

If you are building an API, you should move your routes to the api.php file instead of web.php. Routes in api.php do not use the CSRF middleware by default, which avoids this error.

SA 08-05-2025

I agree with Justin. I was trying to send a webhook POST to a URL defined in web.php and kept getting 419. Moving the route to api.php or adding the URL to the $except array in the VerifyCsrfToken middleware is the standard fix for external requests.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

World globe icon Country: Canada

Book Free Session