framework: Refreshing doesn't fix `The page has expired due to inactivity. Please refresh and try again.`

  • Laravel Version: 5.6.23
  • PHP Version: 7.2.4
  • Database Driver & Version: mysql / MariaDB 10.1.33
  • Windows 7 64-bit / XAMPP v3.2.2
  • Firefox 60.0.2

Description & Steps To Reproduce::

Refreshing doesn’t fix The page has expired due to inactivity. Please refresh and try again.

The page with the form:

    <form method="POST" action="{{ route('admin.users.update', $user) }}">
         @method('PUT')
         @csrf
         . . .

… was opened in Firefox for some time and there was no activity (I was AFK 🎲).

When I came back and tried to submit it - I got the following message:

The page has expired due to inactivity. Please refresh and try again.

… which was expected. But the problem was that I could not get rid of this message. I would go back one page, press “Ctrl + Shift + R” - and I would get this message again after submitting the form.

So refreshing didn’t fix it.

I also tried to clean browser’s cache, Laravel cache (php artisan cache:clear, php artisan config:clear, php artisan clear-compiled, php artisan route:clear, php artisan view:clear) - and it didn’t work.

But when I closed and opened the browser - there was no more of that message, everything worked as it should.

Is this a bug? I’m worried about the end users of the website, if that happens to them … they will be lost 🤔

config/session.php was not changed after installing Laravel.

'driver' => env('SESSION_DRIVER', 'file'),
'lifetime' => env('SESSION_LIFETIME', 120),
'expire_on_close' => false,
'encrypt' => false,
'files' => storage_path('framework/sessions'),
'connection' => null,
'table' => 'sessions',
'store' => null,
'lottery' => [2, 100],
'cookie' => env(
    'SESSION_COOKIE',
    str_slug(env('APP_NAME', 'laravel'), '_').'_session'
),
'path' => '/',
'domain' => env('SESSION_DOMAIN', null),
'secure' => env('SESSION_SECURE_COOKIE', false),
'http_only' => true,
'same_site' => null,

… and there’s nothing in .env that is used in config/session.php except:

SESSION_DRIVER=file
SESSION_LIFETIME=120

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 2
  • Comments: 21 (7 by maintainers)

Most upvoted comments

As far as I understand the problem stems from CSRF token invalidation due to session expiry.

I found a simple solution for handling this error more or less gracefully.

Use the VerifyCsrfToken::handle() in your application to wrap the parent call to handle in a try-catch block which catches the TokenMismatchException and redirects back with an error message.

You can see a simple example here: VerifyCsrfToken

+3
mchekin on Dec 22, 2018

@GlitterCakes - its a problem with your sessions, which then causes a CSRF token mismatch.

+1
laurencei on Nov 19, 2018
Read more comments on GitHub
← framework: `RefreshDatabase` + double wrapping in `DB::transaction()` breaks `$afterCommit` functionality
framework: (regression) Impossilbe to use JsonResource::collection with paginated query (not eloquent) →