TokenMismatchException and Load Balancers
If you’re getting a
TokenMismatchException when submitting forms and you’re also running a load balancer, this might clear things up.
By default, sessions are stored on the filesystem in
local/storage/framework/sessions. CSRF tokens are stored in the user’s session.
If a user has their session file created on one server, then submits a form which is handled by another server,
their session may be re-created and result in a missing or invalid token. That’s when the
Some potential solutions to this:
- Somehow make sure
local/storage/framework/sessionis shared across the servers.
- Change the session driver to something persistent across servers by changing
- Disable CSRF verification by adding
site/settings/system.yaml. For obvious reasons, this may be a bad idea.
- Consider if a load balancer is really necessary for your site.
TokenMismatchException in the Control Panel
If AJAX scripts are not loading in the Control Panel (i.e. Suggestion boxes, any time you try and save data), this could be down to a
TokenMismatchException - you can check this by firing up Inspector and checking the Resources tab. If you have changed your
APP_KEY (i.e. if you’ve updated to a new Statamic website) then this could cause a
TokenMismatchException, try clearing your browser’s cookies.