I am developing a web app using Laravel 10, and every time I submit a form via a POST request, I get a "419 | Sorry, your session has expired" error page. I’ve checked my session lifetime in the config file, and it's set correctly. It happens even if I submit the form just seconds after the page loads. Is this a permission issue with the storage/framework/sessions folder, or am I missing a specific security token in my HTML form to verify the request?
3 answers
The most common cause for a 419 error in Laravel is a missing CSRF (Cross-Site Request Forgery) token. Laravel automatically protects your application from cross-site request forgeries by checking for a token in the session and comparing it to the token passed in the request. To fix this, simply add the @csrf blade directive inside your <form> tags. This generates a hidden input field containing the required security token. If you are using AJAX, you must ensure the X-CSRF-TOKEN header is included in your request headers, usually by pulling the value from a meta tag in your HTML head.
Does this error occur across all browsers, or have you noticed it specifically in environments where cookies might be blocked, such as incognito mode or certain Safari privacy settings?
If you are building an API, you should move your routes to the api.php file instead of web.php. Routes in api.php do not use the CSRF middleware by default, which avoids this error.
I agree with Justin. I was trying to send a webhook POST to a URL defined in web.php and kept getting 419. Moving the route to api.php or adding the URL to the $except array in the VerifyCsrfToken middleware is the standard fix for external requests.
Brandon, I noticed it was happening more frequently in Safari. It turned out my SESSION_DOMAIN in the .env file was set incorrectly, which prevented the session cookie from being sent back to the server. After clearing my browser cache and setting the domain to 'localhost' for my local environment, the 419 error stopped appearing. It's a good reminder that if the browser can't store the session cookie, the CSRF check will fail every single time.