Token Mismatch on logon

[Louuu]

Expected Behavior (or desired behavior if a feature request)

Type correct username and password, login and see the Snipe Dashboard

---

Actual Behavior

You are redirected to the logon screen.

This has been replicated on multiple computers running Google Chrome 54.0.2840.71, however the site functions correctly in Internet Explorer - haven't tried another browser.

The session file created reports "Your form session has expired. Please try again."

---

Please confirm you have done the following before posting your bug report:

• [X ] I have enabled debug mode
• [X ] I have read checked the Common Issues page

---

Please provide answers to these questions before posting your bug report:

• Version of Snipe-IT you're running
  3.4.0.9
• What OS and web server you're running Snipe-IT on
  Windows Server 2012 and IIS
• What method you used to install Snipe-IT (install.sh, manual installation, docker, etc)
  Manual installation
• If you're getting an error in your browser, include that error
  N/A
• What specific Snipe-IT page you're on, and what specific element you're interacting with to trigger the error
  /login
• If a stacktrace is provided in the error, include that too.

[2016-10-27 08:49:26] production.ERROR: exception 'Illuminate\Session\TokenMismatchException' in C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php:3227
Stack trace:
#0 [internal function]: Illuminate\Foundation\Http\Middleware\VerifyCsrfToken->handle(Object(Illuminate\Http\Request), Object(Closure))
#1 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(9963): call_user_func_array(Array, Array)
#2 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#3 C:\inetpub\wwwroot\snipe\vendor\laravel\framework\src\Illuminate\Routing\Pipeline.php(32): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#4 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(13213): Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#5 [internal function]: Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse->handle(Object(Illuminate\Http\Request), Object(Closure))
#6 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(9963): call_user_func_array(Array, Array)
#7 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#8 C:\inetpub\wwwroot\snipe\vendor\laravel\framework\src\Illuminate\Routing\Pipeline.php(32): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#9 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(13150): Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#10 [internal function]: Illuminate\Cookie\Middleware\EncryptCookies->handle(Object(Illuminate\Http\Request), Object(Closure))
#11 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(9963): call_user_func_array(Array, Array)
#12 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#13 C:\inetpub\wwwroot\snipe\vendor\laravel\framework\src\Illuminate\Routing\Pipeline.php(32): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#14 [internal function]: Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#15 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(9948): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#16 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(8226): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#17 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(8217): Illuminate\Routing\Router->runRouteWithinStack(Object(Illuminate\Routing\Route), Object(Illuminate\Http\Request))
#18 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(8207): Illuminate\Routing\Router->dispatchToRoute(Object(Illuminate\Http\Request))
#19 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(2419): Illuminate\Routing\Router->dispatch(Object(Illuminate\Http\Request))
#20 [internal function]: Illuminate\Foundation\Http\Kernel->Illuminate\Foundation\Http{closure}(Object(Illuminate\Http\Request))
#21 C:\inetpub\wwwroot\snipe\vendor\laravel\framework\src\Illuminate\Routing\Pipeline.php(52): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#22 C:\inetpub\wwwroot\snipe\vendor\fideloper\proxy\src\TrustProxies.php(46): Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#23 [internal function]: Fideloper\Proxy\TrustProxies->handle(Object(Illuminate\Http\Request), Object(Closure))
#24 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(9963): call_user_func_array(Array, Array)
#25 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#26 C:\inetpub\wwwroot\snipe\vendor\laravel\framework\src\Illuminate\Routing\Pipeline.php(32): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#27 C:\inetpub\wwwroot\snipe\app\Http\Middleware\CheckForSetup.php(22): Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#28 [internal function]: App\Http\Middleware\CheckForSetup->handle(Object(Illuminate\Http\Request), Object(Closure))
#29 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(9963): call_user_func_array(Array, Array)
#30 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#31 C:\inetpub\wwwroot\snipe\vendor\laravel\framework\src\Illuminate\Routing\Pipeline.php(32): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#32 C:\inetpub\wwwroot\snipe\app\Http\Middleware\NosniffGuard.php(17): Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#33 [internal function]: App\Http\Middleware\NosniffGuard->handle(Object(Illuminate\Http\Request), Object(Closure))
#34 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(9963): call_user_func_array(Array, Array)
#35 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#36 C:\inetpub\wwwroot\snipe\vendor\laravel\framework\src\Illuminate\Routing\Pipeline.php(32): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#37 C:\inetpub\wwwroot\snipe\app\Http\Middleware\XssProtectHeader.php(17): Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#38 [internal function]: App\Http\Middleware\XssProtectHeader->handle(Object(Illuminate\Http\Request), Object(Closure))
#39 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(9963): call_user_func_array(Array, Array)
#40 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#41 C:\inetpub\wwwroot\snipe\vendor\laravel\framework\src\Illuminate\Routing\Pipeline.php(32): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#42 C:\inetpub\wwwroot\snipe\app\Http\Middleware\FrameGuard.php(17): Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#43 [internal function]: App\Http\Middleware\FrameGuard->handle(Object(Illuminate\Http\Request), Object(Closure))
#44 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(9963): call_user_func_array(Array, Array)
#45 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#46 C:\inetpub\wwwroot\snipe\vendor\laravel\framework\src\Illuminate\Routing\Pipeline.php(32): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#47 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(13474): Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#48 [internal function]: Illuminate\View\Middleware\ShareErrorsFromSession->handle(Object(Illuminate\Http\Request), Object(Closure))
#49 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(9963): call_user_func_array(Array, Array)
#50 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#51 C:\inetpub\wwwroot\snipe\vendor\laravel\framework\src\Illuminate\Routing\Pipeline.php(32): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#52 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(11964): Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#53 [internal function]: Illuminate\Session\Middleware\StartSession->handle(Object(Illuminate\Http\Request), Object(Closure))
#54 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(9963): call_user_func_array(Array, Array)
#55 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#56 C:\inetpub\wwwroot\snipe\vendor\laravel\framework\src\Illuminate\Routing\Pipeline.php(32): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#57 C:\inetpub\wwwroot\snipe\vendor\misterphilip\maintenance-mode\src\MisterPhilip\MaintenanceMode\Http\Middleware\CheckForMaintenanceMode.php(145): Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#58 [internal function]: MisterPhilip\MaintenanceMode\Http\Middleware\CheckForMaintenanceMode->handle(Object(Illuminate\Http\Request), Object(Closure))
#59 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(9963): call_user_func_array(Array, Array)
#60 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#61 C:\inetpub\wwwroot\snipe\vendor\laravel\framework\src\Illuminate\Routing\Pipeline.php(32): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#62 [internal function]: Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#63 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(9948): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#64 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(2366): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#65 C:\inetpub\wwwroot\snipe\bootstrap\cache\compiled.php(2350): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter(Object(Illuminate\Http\Request))
#66 C:\inetpub\wwwroot\snipe\public\index.php(60): Illuminate\Foundation\Http\Kernel->handle(Object(Illuminate\Http\Request))
#67 {main}

• Any errors that appear in your browser's error console.
  N/A
• Confirm whether the error is reproduceable on the demo.
  No
• Include any additional information you can find in app/storage/logs and your webserver's logs.
  Session file reports
• Include what you've done so far in the installation, and if you got any error messages along the way.
  All has worked OK except this
• Indicate whether or not you've manually edited any data directly in the database
  N/A

[snipe]

Check that your APP_URL in your env is exactly the same as the URL you're using in your browser, and make sure the storage directory and your temp directory are writable.

[Louuu]

I've double checked all of those. But I shall triple check in the morning. I'm not sure if they'll be the issue as the site logs in fine with IE :/

[snipe]

Can you tell me what version of Laravel you've got?

[Louuu]

As requested, the Laravel Version is 5.2.45

[snipe]

Damn. There was a change in the way the web middleware works in 5.2.7, and was hoping that might be the issue.

Are you behind a load balancer or anything that might be doing something funny with sessions?

It looks like you're not the only one having this issue:
https://laracasts.com/discuss/channels/laravel/512-logging-in-with-remember-me-causes-tokenmismatchexception-on-form-submit

Can you show me what you have for your OPTIONAL: SESSION SETTINGS in the .env file? (And make sure the COOKIE_DOMAIN matches the domain you're accessing the site from.) That part should be optional, but Chrome may have some weird behavior when you don't specify a cookie domain.

(Make sure to run php artisan config:clear to clear your configuration cache)

[Louuu]

Nope, there's no load balancer at all :)

# --------------------------------------------
# OPTIONAL: SESSION SETTINGS
# --------------------------------------------
SESSION_LIFETIME=12000
EXPIRE_ON_CLOSE=false
ENCRYPT=false
COOKIE_NAME=snipeit_session
COOKIE_DOMAIN=null
SECURE_COOKIES=true

I have tried with the COOKIE_DOMAIN configured as the domain however, this made no difference.

[sysnoo]

I have that issue (reported as #2837).
I commented all Session Settings in .env
It worked for me

[sysnoo]

It seems the issue is with SECURE_COOKIES
Commenting only that line and I can login

[snipe]

That doesn't really make sense though. HTTPS-only cookies are accepted in all browsers.

[snipe]

I'm sure this is a dumb question, but can you confirm that you don't have any settings or plugins in chrome that would block cookies?

[snipe]

Also, can you see if you can reproduce on the demo? I just fixed some of the HTML that was improperly nested, which chrome can sometimes choke on. If that works, you might try pulling from master.

[Louuu]

The issue you referenced this one to was the same upgrade path 👍

There shouldn't be any plugins, however I shall double check on Monday when I am back in the office. The demo works fine from my personal laptop, however, I will have to test it from the computers it was tested on at work.

[Louuu]

Hello there :)

I have double checked and there are no plugins at all in Google Chrome.
I have disabled secure cookies and this has resolved the issue for now, however the environment in which I work in wouldn't allow that as a solution :(

[snipe]

And you're running this over https, right?

[snipe]

Also, if you set ENCRYPT to true, and enable the SECURE_COOKIES option, does it still fail? (You'll need a COOKIE_DOMAIN value set to the domain you're accessing the site from as well)

[Louuu]

After setting SECURE_COOKIES back to true. This issue has resolved itself on my end on all devices!

[Louuu]

Also yes, this is running over HTTPS :)

[Louuu]

Spoke too soon! It's dropped again.

I shall have a look at the suggested methods above

---

Have looked again and the issue hasn't resolved with these settings

[steveelwood]

Same thing happened to me. It turned out that my latest upgrade to 3.6.1 replaced the .htaccess file under /public, which turned off the rewrite that forced SSL. Browsing from an insecure URL, combined with the secure cookie set to true prevented login. I uncommented the rewrite rules and once my URL was once again https://, login worked again.

@snipe, I know this may be a longshot, but is there any way to make those .htaccess rules something that can be switched on and off in the ENV file (or something more immutable) so they aren't overwritten by upgrades? It's an easy step to forget. Thanks!

[snipe]

@steveelwood unfortunately no. htaccess is at the web server layer, and the .env stuff is parsed by PHP.