I'm hoping this gets a response as well. We've experienced this in L4.2 and now L5.0.

A small percentage of our visitors appear to have cookies disabled, so their form posts are met with TokenMismatchExceptions. We use jQuery ajax posts to an API route but I believe you can simulate this on any CSRF-protected form.

I'd try to capture the laravel_session cookie value and manually pass that in as a form parameter, registering the session from the destination controller. However I think we're losing some laravel security benefits by registering sessions based on query parameters.

Otherwise we will need to either remove the CSRF middeware entirely or simply accept that cookie-less users can't post public forms.