TokenMismatchException and Load Balancers
If you’re getting a
TokenMismatchException when submitting forms and you’re also running a load balancer, this might clear things up.
By default, sessions are stored on the filesystem in
local/storage/framework/sessions. CSRF tokens are stored in the user’s session.
If a user has their session file created on one server, then submits a form which is handled by another server,
their session may be re-created and result in a missing or invalid token. That’s when the
Some potential solutions to this:
- Somehow make sure
local/storage/framework/sessionis shared across the servers.
- Change the session driver to something persistent across servers by changing
- Disable CSRF verification by adding
site/settings/system.yaml. For obvious reasons, this may be a bad idea.
- Consider if a load balancer is really necessary for your site.