Laravel 11 CSRF Token Exception at AWS EC2 instance

Updated: Jan 24, 2025

Laravel 11 CSRF Token Exception at AWS EC2 instance

When deploying a Laravel application on an Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instance, you might encounter a CSRF token exception error. This error occurs when the CSRF token sent from the server does not match the token expected by the client. In this response, we will discuss the causes of this issue and provide solutions to resolve it.

Causes of CSRF Token Exception in Laravel on AWS EC2:

  1. Incorrect CSRF token value: The CSRF token value sent from the server and the token expected by the client do not match. This can occur due to various reasons such as caching, session issues, or misconfiguration.
  2. Session problems: The session data may not be synchronized between the server and the client, leading to incorrect CSRF token values.
  3. Cookies not being sent: The cookies containing the CSRF token may not be sent with the request, causing the exception.
  4. Misconfiguration of the CSRF token middleware: The CSRF token middleware may not be configured correctly, leading to incorrect handling of the tokens.

Solutions to resolve CSRF Token Exception in Laravel on AWS EC2:

  1. Clear the cache and cookies: Clear the cache and cookies on both the server and the client to ensure that the latest CSRF token values are being used. You can clear the cache in Laravel by running the php artisan cache:clear command. To clear cookies in the browser, you can delete the cookies for your application's domain.
  2. Check session synchronization: Ensure that the session data is synchronized between the server and the client. You can check this by setting the session.cookie_domain and session.cookie_path values in the config/session.php file to match the domain and path of your application.
  3. Set the SameSite attribute for cookies: Set the SameSite attribute for the cookies containing the CSRF token to None or Lax to ensure that they are sent with cross-origin requests. You can set this in the config/session.php file by adding the following lines to the cookies array:
'csrf' => [
    'name' => 'XSRF-TOKEN',
    'httpOnly' => true,
    'secure' => false,
    'same_site' => 'none', // or 'lax'
],
  1. Use a CSRF token header: Instead of using cookies to store the CSRF token, you can use a header. This can be useful in cases where cookies are not being sent with the request. To enable this, you can add the following middleware to the app/Http/Kernel.php file:
protected $routeMiddleware = [
    // ...
    'csrf.header' => \Illuminate\Cookie\Middleware\CSRFCookie::class,
];

protected $middlewareGroups = [
    // ...
    'web' => [
        // ...
        \Illuminate\Cookie\Middleware\AddCSRFToken::class,
        \App\Http\Middleware\EncryptCookies::class,
        // ...
        \App\Http\Middleware\VerifyCsrfToken::class,
        // ...
        \App\Http\Middleware\CSRFHeader::class, // Add this middleware
    ],
];

And then create a new middleware app/Http/Middleware/CSRFHeader.php:

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;

class CSRFHeader
{
    public function handle(Request $request, Closure $next)
    {
        $token = $request->session()->token();
        if ($request->headers->has('X-CSRF-TOKEN')) {
            if (hash_equals(
                $request->headers->get('X-CSRF-TOKEN'),
                $token
            )) {
                return $next($request);
            }
        }

        return response()->json(['error' => 'CSRF token mismatch'], 403);
    }
}

By following these solutions, you should be able to resolve the CSRF token exception error in your Laravel application deployed on an AWS EC2 instance.