"The page has expired due to inactivity" - Laravel 5.5

My register page is showing the form properly with CsrfToken ({{ csrf_field() }}) present in the form).

Form HTML

<form class="form-horizontal registration-form" novalidate method="POST" action="{{ route('register') }}">
        {{ csrf_field() }}
        ....
</form>

I am using inbuilt authentication for the users. Have not changed anything except the routes and redirects.

When I submit the form (just after reloading also), it gives that The page has expired due to inactivity. Please refresh and try again. error.

My be I am missing a very small thing. But not sure what it is. Any help?

Update

Found the issue. The session driver was set to array. Changed it to file and the error is gone now. But what is wrong if I use array?

If you're coming to this answer directly from a search, make sure you have already added the csrf token to your form with {{ csrf_field() }} like the OP.

---

If you have your session driver set to file:

May have something to do with the storage_path not being writable. This is where it stores session data regarding tokens if you're using file based sessions. The can be verified with is_writable(config('session.files'))

---

For the OP, the session driver was set to array. Array is for testing only. Since data is not persisted, it will not be able to compare the token on the next request.

> The array driver is used during testing and prevents the data stored > in the session from being persisted.

https://laravel.com/docs/5.5/session#configuration

---

Check config/session.php

Lastly, an issue I just had, we had a project which has the session domain and secure settings in config/session.php but the development site was not using HTTPS (SSL/TLS). This caused this generic error since sessions.secure was set to true by default.

I ran into the same issue in Laravel 5.5. In my case, it happened after changing a route from GET to POST. The issue was because I forgot to pass a CSRF token when I switched to POST.

You can either post a CSRF token in your form by calling:

 {{ csrf_field() }}

Or exclude your route in app/Http/Middleware/VerifyCsrfToken.php

 protected $except = [
        'your/route'
    ];

Try all of them.

composer dump-autoload
php artisan optimize
php artisan cache:clear
php artisan config:clear
php artisan route:clear
php artisan view:clear

This caused because of Illuminate\Session\TokenMismatchException look at this code sample how to handle it properly:

> https://gist.github.com/jrmadsen67/bd0f9ad0ef1ed6bb594e

My case was solved with SESSION_DOMAIN, in my local machine had to be set to xxx.localhost. It was causing conflicts with the production SESSION_DOMAIN, xxx.com that was set directly in the session.php config file.

Some information is stored in the cookie which is related to previous versions of laravel in development. So it's conflicting with csrf generated tokens which are generated by another's versions. Just Clear the cookie and give a try.

I change permission to storage and error was gone. It seemed lack of permission was the issue.

sudo chmod -R 775 storage/

For those who still has problem and nothing helped. Pay attention on php.ini mbstring.func_overload parameter. It has to be set to 0. And mbstring.internal_encoding set to UTF-8. In my case that was a problem.

add @csrf in the form and also go to VerifyCsrfToken.php

app->Http->Middleware->VerifyCsrfToken.php

protected $except = [
        'paste your route here'
    ];

In my case, the site was fine in server but not in local. Then I remember I was working on secure website.
So in file config.session.php, set the variable secure to false

'secure' => env('SESSION_SECURE_COOKIE', false),

Short answer

Add the route entry for register in app/Http/Middleware/VerifyCsrfToken.php

protected $except = [
        '/routeTo/register'
    ];

and clear the cache and the cache route with the commands:

php artisan cache:clear && php artisan route:clear

Details

Every time you access a Laravel site, a token is generated, even if the session has not been started. Then, in each request, this token (stored in the cookies) will be validated against its expiration time, set in the SESSION_LIFETIME field on config/session.php file.

If you keep the site open for more than the expiration time and try to make a request, this token will be evaluated and the expiration error will return. So, to skip this validation on forms that are outside the functions of authenticated users (such as register or login) you can add the except route in app/Http/Middleware/VerifyCsrfToken.php.

I have figured out two solution to avoid these error 1)by adding protected $except = ['/yourroute'] possible disable csrf token inspection from defined root. 2)just comment \App\Http\Middleware\VerifyCsrfToken::class line in protected middleware group in kernel

Be sure to have the correct system time on your web server. In my case, the vagrant machine was in the future (Jan 26 14:08:26 UTC 2226) so of course the time in my browser's session cookie had expired some 200+ years ago.

I had the app with multiple subdomains and session cookie was the problem between those. Clearing the cookies resolved my problem.

Also, try setting the SESSION_DOMAIN in .env file. Use the exact subdomain you are browsing.

set mbstring.func_overload = 2

it helped me

I had the same problem but the problem is not in the framework but in the browser. I don't know why but google chrome blocks cookies automatically, in my case. After allowed cookies the problem was resolved.

Many time its happening because you are testing project in back date

Solution:

use incognito new tab then test it again.

reason:

in my case another user logged in with my admin panel

I encountered the same issue on Linux-mint but then realized that the htdocs folder had no full permissions. So I changed the permissions of all the subdirectories in the htdocs folder by doing: sudo chown -c -R $USER:$USER /opt/lampp/htdocs/*

Sign in to connect to the server.

Search Error

An error has occurred: search false You don't have the peais.

Search request is longer.