Support the ongoing development of Laravel.io →
kumidan
posted 8 years ago
Requests Validation

I've got a published website, since yesterday it did look to be fine.
Yerstrday and today instead, I've got an error into the log file.
In both cases the error is

[2017-02-25 11:23:26] production.ERROR: exception 'Illuminate\Session\TokenMismatchException' in 
/phoing.com/public_html/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php:67
Stack trace:
#0 [internal function]: Illuminate\Foundation\Http\Middleware\VerifyCsrfToken->handle(Object(Illuminate\Http\Request), Object(Closure))
#1 /phoing.com/public_html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(136): call_user_func_array(Array, Array)
#2 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))
#3 /phoing.com/public_html/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(32): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#4 /phoing.com/public_html/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(64): Illuminate\Routing\Pipeline->Illuminate\Routing\{closure}(Object(Illuminate\Http\Request))
#5 [internal function]: Illuminate\Session\Middleware\StartSession->handle(Object(Illuminate\Http\Request), Object(Closure))
#6 /phoing.com/public_html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(136): call_user_func_array(Array, Array)
#7 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))
#8 /phoing.com/public_html/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(32): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#9 [internal function]: Illuminate\Routing\Pipeline->Illuminate\Routing\{closure}(Object(Illuminate\Http\Request))
#10 /phoing.com/public_html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#11 /phoing.com/public_html/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(132): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#12 /phoing.com/public_html/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(99): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter(Object(Illuminate\Http\Request))
#13 /phoing.com/public_html/index.php(54): Illuminate\Foundation\Http\Kernel->handle(Object(Illuminate\Http\Request))
#14 {main}

I can't understand which form is generating this problem, I'm not even sure if it is because of a user or a bot.
This is how I handle the exceptions

public function render($request, Exception $e)
{
    switch($e)
    {
        // handles the token expiration, i.e. when a user waits too much before to submit a form
        case ($e instanceof TokenMismatchException):
            $title = trans('error.token_expired_title');
            $message = trans('error.token_expired');
            return response()->view('errors.custom', compact('title','message'));
            break;

        case ($e instanceof HttpException):
        case ($e instanceof NotFoundHttpException):
        case ($e instanceof HttpResponseException):
        case ($e instanceof AuthenticationException):
        case ($e instanceof AuthorizationException):
        case ($e instanceof ValidationException && $e->getResponse()):
            return parent::render($request, $e);
            break;

        default:
            $title = trans('error.unexpected_title');
            $message = trans('error.unexpected');
            return response()->view('errors.custom',compact('title','message'));
            break;
    }
}

What do you think? What should I check?

Last updated 3 years ago.
0
cookiebinary
replied 8 years ago

Maybe user had opened form and the session expired and with it the CSRF token also. Either increase the session expiration time or make JS logout (redirect) on session expiration.

0
kumidan
replied 8 years ago

I know that the cause should be that, but the exception should be handled by the
case ($e instanceof TokenMismatchException):

instead it is reported like an unhandled exception, or that kind of exceptions are reported into the log file even if correctly handled?

Last updated 8 years ago.
0
kumidan
replied 8 years ago

That happened again. Is it possible that the token and session is not generated if it is a bot to try to use the form? It looks not probable to me that so many users are waiting so much time to fill a form, the session's lifetime is 4 hours, I don't think that in the last 3 days 3 users did wait 4 hours before to fill a form.

Last updated 8 years ago.
0
kumidan
replied 8 years ago

The messages continue to appear, ever 3 in 3 seconds. I'm sure that it is a bot, could it be a bot which tries to use the login form?

I don't think that I could solve this with any captcha or other, the token is checked before the form validation.

0
bonbonslick
replied 8 years ago

1 - reload page 2 - reload / resend form 3 - regenerate token 4 - if it is form, add csrf_field()

0

Sign in to participate in this thread!

Eventy

Your banner here too?

Kumidan kumidan Joined 29 Apr 2015

Moderators

We'd like to thank these amazing companies for supporting us

Eventy NativePHP
Fathom
Forge
Envoyer
Beyond Code
BairesDev
N-iX
Litslink

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

Laravel.io

Forum Articles Pastebin

Socials

X (Twitter) Bluesky Bluesky GitHub

The community

Laravel Laravel Laravel News Laravel News
Laracasts Laracasts Laravel Podcast Laravel Podcast
© 2025 Laravel.io - All rights reserved.
Terms of service Privacy policy Advertise