Product
Product overview

See how dev-centric DAST for the enterprise secures your business.

Web attacks

Continuous security testing for web applications at high-scale.

API attacks

Safeguard your APIs no matter how often you deploy.

Business logic attacks

Future-proof your security testing with green-flow exploitation testing.

LLM attacks

Next-gen security testing for LLM & Gen AI powered applications and add-ons.

Interfaces & extensions

Security testing throughout the SDLC - in your team’s native stack.

Integrations

Connecting your security stack & resolution processes seamlessly.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Book a demo

We’ll show you how Bright’s DAST can secure your security posture.

Resources
Blog

Check out or insights & deep dives into the world of security testing.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Case studies

Dive into DAST success stories from Bright customers.

Research

Download whitepapers & research on hot topics in the security field.

Company
About us

Who we are, where we came from, and our Bright vision for the future.

News

Bright news hot off the press.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

We're hiring

Want to join the Bright team? See our open possitions.

Bug bounty

Found a security issue or vulnerability we should hear about? Let us know!

Contact us

Need some help getting started? Looking to collaborate? Talk to us.

Resources > Blog >
What Is CSRF Token Mismatch and 6 Ways to Fix It

What Is CSRF Token Mismatch and 6 Ways to Fix It

Nedim Marić

What Is CSRF?

Cross-Site Request Forgery (CSRF) is a web application attack that forces an end user to execute unwanted actions on a web application in which they’re authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

With a little bit of social engineering, such as sending a link via email or chat, an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like changing their email address or password. If the victim is an administrative account, CSRF can compromise the entire web application.

What Does CSRF Token Mismatch Mean? 

CSRF tokens are random, unique values associated with a user’s session. They are used to verify that requests and submissions made to a particular website originated from that site. The CSRF token mismatch error occurs when the CSRF token in a user’s session doesn’t match the one sent with their request.

Consider a user visiting a website which is protected against CSRF attacks by using CSRF tokens. Every time the user sends a request or submits data, the website checks that the CSRF token sent with your request matches the one associated with your session. If these tokens don’t match, it’s a CSRF token mismatch, and the website will return an error, potentially preventing the user’s request from going through. There are two possibilities:

  • The user is experiencing a CSRF attack: In this case, the CSRF token mismatch error can effectively block the attack.
  • The user is not experiencing a CSRF attack: This is the more common case, and this means the CSRF token mismatch error is a technical issue, which needs to be resolved to avoid hurting the user experience.

Related content: Read our guide to CSRF attack

Example of CSRF Token Mismatch: Laravel API

Laravel, a popular PHP framework for web application development, provides in-built CSRF protection. Laravel’s CSRF middleware automatically generates a CSRF token for each active user session managed by the application. This token is stored in the user’s session data and also embedded in HTML forms as a hidden field or added to the header of AJAX requests.

Laravel requires that every POST, PUT, PATCH, and DELETE request includes the CSRF token. It automatically checks this token against the one stored in the session. If they don’t match, Laravel throws a TokenMismatchException.

Here are the most common causes of a CSRF token mismatch error in Laravel:

  • Session timeout: If the user’s session expires due to inactivity, the CSRF token stored in the session is no longer valid. Any subsequent requests with the old CSRF token will result in a mismatch.
  • Form page caching: If a form page is cached, the CSRF token embedded in the form might be outdated by the time the user submits the form.
  • AJAX requests: For AJAX requests, if the CSRF token is not included in the request headers or is outdated, it will cause a mismatch.
  • Configuration issues: Incorrect configuration of session or middleware settings in Laravel can lead to improper handling of CSRF tokens.

And here are a few quick solutions:

  • Refreshing CSRF token: For session timeout issues, ensure that the CSRF token is refreshed when a new session is created. You can use the csrf_field() helper function in forms and include the CSRF token in AJAX request headers.
  • Disabling caching for forms: To prevent outdated CSRF tokens in cached forms, set appropriate cache-control headers to prevent caching of form pages.
  • Handling AJAX requests: Ensure that AJAX requests include the CSRF token in the request headers. This can be automated by setting a common header with the CSRF token for all AJAX requests in your JavaScript code.
  • Configuring sessions and middleware: Review Laravel’s session and middleware configurations to ensure they are set up correctly. Pay attention to session lifetime and the order of middleware in the kernel.php file.

6 Ways to Solving the “CSRF Token Mismatch Error” 

We cannot cover specific solutions to the CSRF token mismatch error in all possible web applications. However, here are a few general approaches that can help resolve the problem.

1: Check if the CSRF Tokens are Actually Mismatched

First thing, it is important to ensure that the CSRF tokens from the client and server are indeed mismatched. This verification can be done by logging both tokens and comparing them.

Remember, CSRF tokens are usually generated for each session or form, and they should be unique. When a form is submitted, the server compares the CSRF token sent with the request against the one stored in the session. If they do not match, you will encounter the CSRF token mismatch error.

In case the tokens are not mismatched, the problem may lie elsewhere. If they are, you’ve identified the problem and can proceed to one of the solutions below.

2. Clear Cookies from the Browser

Sometimes, the solution can be as simple as clearing cookies from the browser. Old or corrupted cookies can cause a CSRF token mismatch error.

To clear cookies, go to your browser settings and find the option to clear browsing data or cookies. Once the cookies are cleared, try to perform the action that was causing the error again.

Remember, while clearing cookies can solve the issue temporarily, it may not be a permanent fix if the problem lies elsewhere in your code or application setup.

3. Make Sure CSRF Tokens are Generated and Passed Correctly

After confirming a CSRF token mismatch, the next step is to make sure the tokens are generated and passed correctly. The generation of CSRF tokens is usually handled by your web framework. However, you need to ensure they are included in your forms or AJAX requests.

Check your form to ensure that it includes a CSRF token. If you’re using AJAX requests, make sure the CSRF token is included in the request header. This process is crucial because even if the server generates a CSRF token, it won’t be able to verify the request if the client doesn’t send one.

4. Check if the Session and CSRF Token Has Expired

Another common cause of a CSRF token mismatch is an expired session or CSRF token. Most web applications are designed such that CSRF tokens expire after a period of inactivity, which is a good practice for security reasons.

To check if this is the case, look at the expiration time of your sessions and CSRF tokens. If the user was inactive for longer than this period, their session or CSRF token may have expired.

If you find that tokens are expiring too quickly, causing inconvenience to your users, you may want to consider lengthening the expiration time. However, remember to strike a balance between user convenience and application security.

5. Check for JavaScript Errors in the Console

Sometimes, the issue could stem from a JavaScript error. If your application relies heavily on JavaScript, an error could prevent the CSRF token from being included in requests.

To check for JavaScript errors, open your browser’s console and look for any red error messages. Debug and fix any errors you find.

6. Consider Using Double Submit Cookies as an Additional Check

Double submit cookies present another layer of security. In this method, the server sends a CSRF token as a cookie alongside the regular CSRF token. When a request is made, the server checks both the CSRF token and the cookie values to detect a mismatch.

This approach can help identify a CSRF token mismatch error by providing an additional check. However, it should be used as an added layer of security and not a replacement for other necessary checks.

Resources

DORA: Exploring The Path to Financial Institutions’ Resilience

DORA (Digital Operational Resilience Act) is the latest addition to the EU regulatory arsenal. A framework designed to bolster the cyber resilience of financial entities operating within the EU. But let’s face it: there’s no lack of regulations issued by the European Union legislature, and they’re not exactly known for keeping things light and easy.

IASTless IAST – The SAST to DAST Bridge

Streamline appsec with IASTless IAST. Simplify deployment, enhance accuracy, and boost your security posture by combining SAST and Bright’s DAST.

Bringing DAST security to AI-generated code

AI-generated code is basically the holy grail of developer tools of this decade. Think back to just over two years ago; every third article discussed how there weren’t enough engineers to answer demand; some companies even offered coding training for candidates wanting to make a career change. The demand for software and hardware innovation was

Get our newsletter