Hi,
I have installed Laravel Administrator and am experiencing a strange issue with CSRF. I have tried to talk with the creator of the package about it and he is confused about it also, saying he's never seen this before. I am hoping this problem might be something someone has seen before and can please share information about a solution.
What happens is that when I try to send an ajax request from administrator to the server to add a record or update a model, I get a CSRF Token Mismatch error. Looking at the network tools, I can see what also appears to be a successful AJAX request to "rows_per_page" -- then the next request has issues. Here are the calls copied from Chrome as curl commands:
Successful: curl "http://localhost:8080/admin/testimonials/rows_per_page" -H "Pragma: no-cache" -H "Origin: http://localhost:8080" -H "Accept-Encoding: gzip,deflate" -H "Accept-Language: en-US,en;q=0.8" -H "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36" -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -H "Accept: application/json, text/javascript, /; q=0.01" -H "Cache-Control: no-cache" -H "X-Requested-With: XMLHttpRequest" -H "Cookie: __ngDebug=true; _ga=GA1.1.467135933.1413743273; ilys_session=eyJpdiI6InBMTWNxNmZTSDEwcmE1NWFrNndDTnc9PSIsInZhbHVlIjoiUzhvd2pOUmVXMDkyS0JsRmpFR2J1U055bnRQWnhhYVwvYzhxdkdsVG83aWRncVhMc2tzSlJCN055SU5UNDhMOW92TUdxT0grK3BVWVVkTE5uN3hcL0JBQT09IiwibWFjIjoiOWEzMjUyNzQ0YTI4ZWZkYzkzZTgxYzA3OWM2ZjE5NDIxM2U4NzI2NjdjNTNiY2FhYTFlY2ViNzc4ZTc0NzUwOSJ9" -H "Connection: keep-alive" -H "Referer: http://localhost:8080/admin/testimonials" --data "_token=CoLv8Hgc5SVF4jmpjdyLOqddsHUlSIaBSDMPrEy7&rows=20" --compressed
Returns the csrf error: curl "http://localhost:8080/admin/testimonials/0/save" -H "Pragma: no-cache" -H "Origin: http://localhost:8080" -H "Accept-Encoding: gzip,deflate" -H "Accept-Language: en-US,en;q=0.8" -H "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36" -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -H "Accept: application/json, text/javascript, /; q=0.01" -H "Cache-Control: no-cache" -H "X-Requested-With: XMLHttpRequest" -H "Cookie: __ngDebug=true; _ga=GA1.1.467135933.1413743273; ilys_session=eyJpdiI6IkhmYnZFU2k0NzBlanRHOE1QZ2x2bnc9PSIsInZhbHVlIjoiaG5xUXdPUVg0WFVBM00yU1hmRDFxZ2p1Z2djUWpkU0pkbEQ4a0VRb1lcLysxNDUyQ3N0TG5MUmtSRkN5XC9nQVg3MEtwcDVzN2I3eXNSSUorSitRMHNNdz09IiwibWFjIjoiZjg3N2I5ZDU1NTJkNzMwMjdkMWMxNjZkZTE4YzMxYTVhODY3MmU1ZGQwYjY2NTc2OTNlNjU5OTc1N2RhYjYzOCJ9" -H "Connection: keep-alive" -H "Referer: http://localhost:8080/admin/testimonials/new" --data "name=er&testimonial=ewrewr&active=&_token=CoLv8Hgc5SVF4jmpjdyLOqddsHUlSIaBSDMPrEy7" --compressed
Both of these calls have the same _token value:
from "/rows_per_page" _token=CoLv8Hgc5SVF4jmpjdyLOqddsHUlSIaBSDMPrEy7
from "/testimonials/0/save" _token=CoLv8Hgc5SVF4jmpjdyLOqddsHUlSIaBSDMPrEy7
and both appear to be using XHR. If I remove CSRF filter from the route, all is okay.
Here is the error that was logged: Nov 18 20:55:28 bertha-core papertrail: production.ERROR: exception 'Illuminate\Session\TokenMismatchException' in /home/forge/beta.ilys.com/app/filters.php:117 Stack trace: #0 [internal function]: {closure}(Object(Illuminate\Routing\Route), Object(Illuminate\Http\Request)) #1 /home/forge/beta.ilys.com/bootstrap/compiled.php(6188): call_user_func_array(Object(Closure), Array) #2 /home/forge/beta.ilys.com/bootstrap/compiled.php(6170): Illuminate\Events\Dispatcher->fire('router.filter: ...', Array, true) #3 /home/forge/beta.ilys.com/bootstrap/compiled.php(5178): Illuminate\Events\Dispatcher->until('router.filter: ...', Array) #4 /home/forge/beta.ilys.com/bootstrap/compiled.php(5160): Illuminate\Routing\Router->callRouteFilter('csrf', Array, Object(Illuminate\Routing\Route), Object(Illuminate\Http\Request)) #5 /home/forge/beta.ilys.com/bootstrap/compiled.php(5112): Illuminate\Routing\Router->callAttachedBefores(Object(Illuminate\Routing\Route), Object(Illuminate\Http\Request)) #6 /home/forge/beta.ilys.com/bootstrap/compiled.php(4994): Illuminate\Routing\Router->callRouteBefore(Object(Illuminate\Routing\Route), Object(Illuminate\Http\Request)) #7 /home/forge/beta.ilys.com/bootstrap/compiled.php(4984): Illuminate\Routing\Router->dispatchToRoute(Object(Illuminate\Http\Request)) #8 /home/forge/beta.ilys.com/bootstrap/compiled.php(715): Illuminate\Routing\Router->dispatch(Object(Illuminate\Http\Request)) #9 /home/forge/beta.ilys.com/bootstrap/compiled.php(696): Illuminate\Foundation\Application->dispatch(Object(Illuminate\Http\Request)) #10 /home/forge/beta.ilys.com/bootstrap/compiled.php(7744): Illuminate\Foundation\Application->handle(Object(Illuminate\Http\Request), 1, true) #11 /home/forge/beta.ilys.com/bootstrap/compiled.php(8351): Illuminate\Session\Middleware->handle(Object(Illuminate\Http\Request), 1, true) #12 /home/forge/beta.ilys.com/bootstrap/compiled.php(8298): Illuminate\Cookie\Queue->handle(Object(Illuminate\Http\Request), 1, true) #13 /home/forge/beta.ilys.com/bootstrap/compiled.php(10961): Illuminate\Cookie\Guard->handle(Object(Illuminate\Http\Request), 1, true) #14 /home/forge/beta.ilys.com/bootstrap/compiled.php(657): Stack\StackedHttpKernel->handle(Object(Illuminate\Http\Request)) #15 /home/forge/beta.ilys.com/public/index.php(49): Illuminate\Foundation\Application->run() #16 {main} []
I'm pretty confused by this. Any help is appreciated!
Thanks, Mike
Hi.. just checking in, refreshing the thread.
Sign in to participate in this thread!
Laravel
Laravel News
Laracasts
Laravel Podcast