Intermittent CSRF token mismatch since upgrading to Laravel 12 when logging in

[sts-ryan-holton]

Laravel Version

12.19.3

PHP Version

8.3.22

Database Driver & Version

MySQL 8

Description

Hi, this is going to be a relatively vague bug report, because I'm not quite sure what's happening. Ever since I upgraded from Laravel 11 to Laravel 12 a few weeks ago with Laravel Shift I've noticed intermittent CSRF token mismatch errors when people try to log in.

What's weird, when they clear their browser cookies, or use a different browser window the issue seems to go away, and could then return after some time.

I'm using Redis, though my session driver is file. My Laravel project is serving as an API backend to a Nuxt JS 2.x front-end,. but nothing on the front-end or in Redis has changed between the upgrade.

What's weird, I have Sentry installed, and not even Sentry is picking up the CSRF token mismatch errors.

Wondering if anyone else is experiencing this

Steps To Reproduce

This is my .env session details which has remained like this through Laravel 11 and 12:

CACHE_STORE=redis
CACHE_PREFIX=
QUEUE_CONNECTION=redis
SESSION_DRIVER=file
SESSION_LIFETIME=1440
SESSION_DOMAIN=domain-monitor.io
SESSION_ENCRYPT=false
SESSION_PATH=/

Here's my composer.json

{
    "name": "laravel/laravel",
    "type": "project",
    "description": "The Laravel Framework.",
    "keywords": [
        "framework",
        "laravel"
    ],
    "license": "MIT",
    "repositories": [
        {
            "type": "vcs",
            "url": "https://github.com/laravel-shift/webhook.git"
        }
    ],
    "require": {
        "php": "^8.2",
        "cknow/laravel-money": "8.4.0",
        "doctrine/dbal": "^4.2",
        "dompdf/dompdf": "3.1.0",
        "geerlingguy/ping": "1.2.1",
        "google/apiclient": "2.18.3",
        "laravel-notification-channels/twitter": "8.3.0",
        "laravel-notification-channels/webhook": "dev-l12-compatibility",
        "laravel/cashier": "15.7.0",
        "laravel/fortify": "1.27.0",
        "laravel/framework": "12.20.0",
        "laravel/horizon": "5.33.1",
        "laravel/nightwatch": "1.10.6",
        "laravel/octane": "2.11.0",
        "laravel/pulse": "1.4.2",
        "laravel/sanctum": "4.1.2",
        "laravel/slack-notification-channel": "3.6.0",
        "laravel/socialite": "5.21.0",
        "laravel/telescope": "5.10.0",
        "laravel/tinker": "2.10.1",
        "laravel/vonage-notification-channel": "3.3.2",
        "maatwebsite/excel": "3.1.64",
        "nesbot/carbon": "^3.8",
        "propaganistas/laravel-disposable-email": "2.4.16",
        "propaganistas/laravel-phone": "6.0.2",
        "rinvex/countries": "9.0.1",
        "sentry/sentry-laravel": "4.15.1",
        "snoeren-development/laravel-discord-webhook-channel": "1.12.0",
        "spatie/laravel-health": "1.34.3",
        "spatie/laravel-tags": "4.10.0",
        "symfony/http-client": "^7.2",
        "symfony/mailgun-mailer": "^7.2",
        "symfony/process": "^7.2"
    },
    "require-dev": {
        "deployer/deployer": "7.5.*",
        "fakerphp/faker": "^1.23",
        "laravel/sail": "1.43.*",
        "mockery/mockery": "^1.6",
        "nunomaduro/collision": "^8.6",
        "phpunit/phpunit": "^12.2.1",
        "spatie/laravel-horizon-watcher": "^1.1",
        "spatie/laravel-ignition": "^2.9",
        "laravel/pail": "^1.2.2"
    },
    "config": {
        "optimize-autoloader": true,
        "preferred-install": "dist",
        "sort-packages": true,
        "allow-plugins": {
            "composer/package-versions-deprecated": true,
            "php-http/discovery": true,
            "pestphp/pest-plugin": true
        }
    },
    "extra": {
        "laravel": {
            "dont-discover": []
        }
    },
    "autoload": {
        "psr-4": {
            "App\\": "app/",
            "Database\\Factories\\": "database/factories/",
            "Database\\Seeders\\": "database/seeders/"
        },
        "files": [
            "app/helpers.php"
        ],
        "classmap": [
            "database/seeders",
            "database/factories"
        ]
    },
    "autoload-dev": {
        "psr-4": {
            "Tests\\": "tests/"
        }
    },
    "minimum-stability": "stable",
    "prefer-stable": true,
    "scripts": {
        "post-autoload-dump": [
            "Illuminate\\Foundation\\ComposerScripts::postAutoloadDump",
            "@php artisan package:discover --ansi"
        ],
        "post-root-package-install": [
            "@php -r \"file_exists('.env') || copy('.env.example', '.env');\""
        ],
        "post-create-project-cmd": [
            "@php artisan key:generate --ansi"
        ],
        "post-update-cmd": [
            "@php artisan vendor:publish --tag=laravel-assets --ansi --force"
        ],
        "dev": [
            "Composer\\Config::disableProcessTimeout",
            "npx concurrently -c \"#93c5fd,#c4b5fd,#fb7185,#fdba74\" \"php artisan serve\" \"php artisan queue:listen --tries=1\" \"php artisan pail --timeout=0\" \"npm run dev\" --names=server,queue,logs,vite"
        ]
    }
}

[mbdonsta]

Does you APP_NAME contains dot (".") or something similar? I fixed this by changing config/session.php.

From this:

'cookie' => env( 'SESSION_COOKIE', Str::snake((string) env('APP_NAME', 'laravel')).'_session' ),

To this:

'cookie' => env( 'SESSION_COOKIE', Str::slug((string) env('APP_NAME', 'laravel'), '_').'_session' ),

Or you can add SESSION_COOKIE= to you .env file.

For example:
SESSION_COOKIE=custom_cookie_name

And I hope, that devs will fix this soon :)

[sts-ryan-holton]

Does you APP_NAME contains dot (".") or something similar? I fixed this by changing config/session.php.

From this:

'cookie' => env( 'SESSION_COOKIE', Str::snake((string) env('APP_NAME', 'laravel')).'_session' ),

To this:

'cookie' => env( 'SESSION_COOKIE', Str::slug((string) env('APP_NAME', 'laravel'), '_').'_session' ),

Or you can add SESSION_COOKIE= to you .env file.

For example: SESSION_COOKIE=custom_cookie_name

And I hope, that devs will fix this soon :)

I don't have any dots in my APP_NAME

[crynobone]

Hey there, thanks for reporting this issue.

We'll need more info and/or code to debug this further. Can you please create a repository with the command below, commit the code that reproduces the issue as one separate commit on the main/master branch and share the repository here?

Please make sure that you have the latest version of the Laravel installer in order to run this command. Please also make sure you have both Git & the GitHub CLI tool properly set up.

laravel new bug-report --github="--public"

Do not amend and create a separate commit with your custom changes. After you've posted the repository, we'll try to reproduce the issue.

Thanks!

[macropay-solutions]

When using sticky session (via memcache or redis) on a multi container deployment, if the containers have different APP_NAME they will act just like you said. When you hit a container that has your session it will work, when not it will not.

make sure this is the same in cache.php

    'prefix' => env('CACHE_PREFIX', Str::slug(env('APP_NAME', 'laravel'), '_') . '_cache'),

SESSION_DRIVER=file

using file on a multi container deployment for session is not ok.

    | Supported: "file", "cookie", "database", "apc",
    |            "memcached", "redis", "dynamodb", "array"
    |
    */

    'driver' => env('SESSION_DRIVER', 'memcached'),

Also check l12 vs l11 env names, maybe they changed.

[mjamilasfihani]

Does you APP_NAME contains dot (".") or something similar? I fixed this by changing config/session.php.

From this:

'cookie' => env( 'SESSION_COOKIE', Str::snake((string) env('APP_NAME', 'laravel')).'_session' ),

To this:

'cookie' => env( 'SESSION_COOKIE', Str::slug((string) env('APP_NAME', 'laravel'), '_').'_session' ),

Or you can add SESSION_COOKIE= to you .env file.

For example: SESSION_COOKIE=custom_cookie_name

And I hope, that devs will fix this soon :)

you are cool dude!

I just re-check again the boilerplate https://github.com/laravel/laravel/blob/624fb58ad893a29cdcbd1173e7db731a9d403971/config/session.php#L132 and my question is, why they doing it? so I can't use [dot] in my App or something?

[sts-ryan-holton]

In my system, yes, I have various servers, 2 forge, and one digital ocean, but the SESSION_* keys and APP_NAME are the same on all three. So I don't see why a CSRF token mismatch would be thrown.

Worth noting, i was running Laravel 11 on the same three installs and wasn't experiencing this issue there, only since updating to Laravel 12 have I been seeing it.

[nickturrietta]

Symfony uses the PHP $_COOKIE superglobal array.
See Symfony\Component\HttpFoundation\Request@createFromGlobals()

The PHP $_COOKIE superglobal array automatically converts "." and spaces to "_" in all keys
https://www.php.net/manual/en/reserved.variables.cookies.php#119381

If $session->getName() in Illuminate\Session\Middleware\StartSession contains a ".", as is the case when the user has an APP_NAME that contains a ".", then a new session is created on every request, which naturally leads to CSRF mismatches.

I wasn't able to test thoroughly, but replacing $session->getName() with str_replace('.', '_', $session->getName()) in Illuminate\Session\Middleware\StartSession@getSession and Illuminate\Session\Middleware\StartSession@addCookieToResponse seemed to fix the issue.

[crynobone]

This should be fixed via laravel/laravel#6646