dealing with CSRF and XSRF-token error messages

This question is linked to one that still could not get resolved but I have pinned it very precisely now and I am focusing on what I know is the cause of error, yet I have tried all the means known to me.

The problem is that an $.post from a jquery to a controller throws an 500 internal server error which is actually a “mismatch token exception” that is caught in line 67 of the VerifyCSRFToken.php file.

Therefore, the controller does not get the value because the Middleware stays in the middle

In order to try to deal with this I have done:

1) Went to the AppMiddlewareVerifyCSRFToken.php and included the route that is in the jquery snippet as to be ignored. That should suffice, but it doesn’t.

namespace AppHttpMiddleware;

use IlluminateFoundationHttpMiddlewareVerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
     * The URIs that should be excluded from CSRF verification.
     * @var array
    protected $except = ['findcountries', 'findpaises','prueba'];

2) Also, I went and added this metatag in the view page. (actually this would be if I want to allow the sending with csrf)

<meta name="csrf-token" content="{{ csrf_token() }}">

3) I included this code snippet that I call from the view
// public/js/config.js
$(function () {
        headers: { 'X-CSRF-TOKEN': $('meta[name="_token"]').attr('content') }

What baffles me is that it is the copy paste code which was working on my production server for months,actually the ignore routes in CSRFVerifyToken php file did the trick, I did not even need the metatag and the other snippet.

Now I am developing an improved version of the web in cloud9 and I can’t get rid of this problem.

Anyone knows what could be done about it?

thank you

This is the code that gives the problem:

    function cargarProvincias() {        

            var country = $('#country').val();       
              $url = "{{URL::route('findcountries')}}";   

 this one ==>       $.post($url, {pais:country},function(data){
                    $.each(data, function(key, value){                 
                    $('#regions').append('<option value="' + key + '">' + value + '</option>')});


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

The token you’re using is from metatags, that’s wrong. Let’s say you have 2 different forms on the same page, it won’t work!

You should use the token inside the form generated by Laravel. I grab this code from another question that may help you.

How to call route of controller with ajax serialize

var formId = '#radicado';

var token = document.getElementById('token').value;
    async: true,
    headers: {'X-CSRF-TOKEN': token},
    url: ip+'/storeVersion',
    type:  'POST',
    data: $(formId).serialize(),
    dataType: 'html',
    success: function(result){
        document.getElementById("version").style.display = "none";
        document.getElementById("preview").style.display = "none";
    error: function(){
        alert('No se ha actualizado el documento.');

Remember, the CSRF token is inside the form you’re trying to send.

Method 2

The issue lied on the httpS SSL encrypted environment where is developed.

The content that I had in the page, either calls to js from google which were not under https but http would be blocked as the conflict of mixed content.

I disabled the browser protection so as to make it all http, but the site under https would be then telling me that I am doing some sort of cross site request forgery because the origin of the form (http) was not the same that the environment is in (https)

So, only when the URL of the page where the form was in was not under https would the code work. I can do the edition of the headers on the fly removing or adding the s in the http and see how success or fail followed.

I first got rid of the Form and left only a select list and a plain simple select list and this very simple jquery code:


    jQuery(document).ready(function () {
 //   cargarCiudades();


        function cargarProvincias() {     

        var country = $('#country').val();   
      //  alert(country);
          $url = "{{ URL::route('findcountries')}}";   
         // alert($url);
          $.post($url, {input:country},function(data){



Then I placed this select list inside a form, no problem. Something like this:
{!! Form::open(array('route' => '', 'files'=>true)) !!}

This is what happens if you remove the route from Exclusion CSRFVerifyFile


changing headers

200 ok

The fist picture, you see the 500 error if I removed the route from here:


namespace AppHttpMiddleware;

use IlluminateFoundationHttpMiddlewareVerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
     * The URIs that should be excluded from CSRF verification.
     * @var array
    protected $except = [ 'findpaises','prueba','/', 'propertyfound'];

So, as I said, you can get away not sending any CSRF neither in your Ajax or your form IF and ONLY IF you include it in the ignore list array above.

Also I must say, Firefox is NOT a good browser to check for development issues. You may have fixed the issue, firefox will rest with its errors stored.

Today I found out slimjet as a browser, if you you use it you will see what I mean. Firefox crashed my computer because of its bloody plugins, while everything is built-in in Slimjet

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x