419 Page Expired error in Laravel - Rocketeers

  [ Rocketeers ](/)   

[Login](https://rocketeersapp.com) 

 On this page

 Knowledge
---------

419 Page Expired error in Laravel
=================================

### [\#Laravel](https://rocketeersapp.com/laravel)

When working with Laravel you will encounter this error from time to time. Here's how you can fix this error.

 Published by [Mark van Eijk](https://rocketeersapp.com/author/mark-van-eijk) on February 23, 2024 
Updated on June 30, 2026 · 1 minute read

1. [Why is the page expired?](#content-why-is-the-page-expired)
2. [When does this happen](#content-when-does-this-happen)
3. [How to fix the error](#content-how-to-fix-the-error)

[\#](#content-why-is-the-page-expired "Permalink")Why is the page expired?
--------------------------------------------------------------------------

Laravel uses Cross-Site Request Forgery (CSRF) as a protection mechanism, that protects your app from external HTTP requests to your application.

Requests from the outside cannot always be trusted, because they can try to mingle with the data and sessions of your users.

CSRF works by generating a unique and randomly generated token that only your application knows and therefore it can detect if a request is allowed by verifying this token. The token expires automatically to make sure it cannot be retrieved and used again and again.

[\#](#content-when-does-this-happen "Permalink")When does this happen
---------------------------------------------------------------------

A page expired error can happen when you've forgotten to send the randomly generated CSRF token along with a "POST", "PUT", "PATCH", or "DELETE" request.

This typically happens when making an AJAX request or when submitting a form.

[\#](#content-how-to-fix-the-error "Permalink")How to fix the error
-------------------------------------------------------------------

When submitting a form, always add a hidden input named `_token` with the value set to `csrf_token()`. More easily you can use the `@csrf` Blade directive which is a shortcut to output this hidden input.

If you're performing an AJAX request, then it's because you've forgotten to add the `X-CSRF-TOKEN` header to the request.

You can add this header automatically to every AJAX request when using the popular [Axios](https://axios-http.com) Javascript HTTP library:

 ```
window.axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';

```

Or when using jQuery:

 ```
$.ajaxSetup({
    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
    }
});

```

If users hit the error after leaving a form open for a while, the session (and with it the token) has simply expired. Raise `SESSION_LIFETIME` in your [.env file](/environment-variables-laravel) and [clear the config cache](/clear-cache-laravel) afterwards.

Another option - depending on your use case - is to [disable the verification of the CSRF token](/disable-csrf-in-laravel) for all or specific routes in your application.

In case of stateless requests like API or webhooks this makes sense and is the use of API tokens or signed routes more suitable.

For a deeper walkthrough of every cause and fix, including AJAX headers and expired sessions, see [CSRF token mismatch in Laravel](/csrf-token-mismatch-laravel).

### Subscribe to our newsletter

Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!

  Fill in your email address to receive updates  Subscribe 

Frequently asked questions
--------------------------

 Why do I get a 419 error only after leaving the page open for a while? The CSRF token lives in the session, and the session expires after a period of inactivity (two hours by default). Once it lapses, the token submitted by the old page no longer matches, so Laravel returns 419. Reloading the page issues a fresh token. To allow longer, raise SESSION\_LIFETIME.

How do I increase how long before the token expires? Set SESSION\_LIFETIME (in minutes) in your .env, or edit the lifetime value in config/session.php. For example SESSION\_LIFETIME=480 keeps sessions, and therefore CSRF tokens, valid for eight hours.

Why do I get a 419 error on my login form? Almost always the session isn't persisting, so there's no token to verify against. Check that APP\_URL and SESSION\_DOMAIN match the URL you're visiting, that storage/framework/sessions is writable (for the file driver), and that your APP\_KEY is set.

How do I fix the 419 error with Livewire? Livewire sends the CSRF token automatically, so a 419 there usually means the session was lost: confirm @csrf is present in the page, the APP\_KEY is set, and the session cookie is being stored. A stale tab after a deploy can also trigger it, a reload fixes that case.

Is the 419 error the same as a CSRF token mismatch? Yes. 419 is the HTTP status Laravel returns when the CSRF token is missing or no longer matches the one in the session. "Page Expired" is just the friendly message shown for that status.

#### More in [\#Laravel](https://rocketeersapp.com/laravel)

- [How to use different PHP versions with Laravel Valet](https://rocketeersapp.com/different-php-versions-laravel-valet)
- [Disable cookies in Laravel](https://rocketeersapp.com/disable-cookies-in-laravel)
- [Logging in Laravel](https://rocketeersapp.com/laravel-logging)
- [How to check which Laravel version of your app is using](https://rocketeersapp.com/check-laravel-version)
- [Disable CSRF in Laravel](https://rocketeersapp.com/disable-csrf-in-laravel)
- [Creating an encrypted cookie value in Laravel](https://rocketeersapp.com/creating-an-encrypted-cookie-value-in-laravel)

 [View all 19 articles →](https://rocketeersapp.com/laravel)
