Knowledge
419 Page Expired error in Laravel
#Laravel
When working with Laravel you will encounter this error from time to time. Here's how you can fix this error.
Published by Mark van Eijk on February 23, 2024
Updated on June 30, 2026 · 1 minute read
Why is the page expired?
Laravel uses Cross-Site Request Forgery (CSRF) as a protection mechanism, that protects your app from external HTTP requests to your application.
Requests from the outside cannot always be trusted, because they can try to mingle with the data and sessions of your users.
CSRF works by generating a unique and randomly generated token that only your application knows and therefore it can detect if a request is allowed by verifying this token. The token expires automatically to make sure it cannot be retrieved and used again and again.
When does this happen
A page expired error can happen when you've forgotten to send the randomly generated CSRF token along with a "POST", "PUT", "PATCH", or "DELETE" request.
This typically happens when making an AJAX request or when submitting a form.
How to fix the error
When submitting a form, always add a hidden input named _token with the value set to csrf_token(). More easily you can use the @csrf Blade directive which is a shortcut to output this hidden input.
If you're performing an AJAX request, then it's because you've forgotten to add the X-CSRF-TOKEN header to the request.
You can add this header automatically to every AJAX request when using the popular Axios Javascript HTTP library:
window.axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
Or when using jQuery:
$.ajaxSetup({
headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
});
If users hit the error after leaving a form open for a while, the session (and with it the token) has simply expired. Raise SESSION_LIFETIME in your .env file and clear the config cache afterwards.
Another option - depending on your use case - is to disable the verification of the CSRF token for all or specific routes in your application.
In case of stateless requests like API or webhooks this makes sense and is the use of API tokens or signed routes more suitable.
For a deeper walkthrough of every cause and fix, including AJAX headers and expired sessions, see CSRF token mismatch in Laravel.
Subscribe to our newsletter
Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!
Frequently asked questions
- Why do I get a 419 error only after leaving the page open for a while?
- The CSRF token lives in the session, and the session expires after a period of inactivity (two hours by default). Once it lapses, the token submitted by the old page no longer matches, so Laravel returns 419. Reloading the page issues a fresh token. To allow longer, raise SESSION_LIFETIME.
- How do I increase how long before the token expires?
- Set SESSION_LIFETIME (in minutes) in your .env, or edit the lifetime value in config/session.php. For example SESSION_LIFETIME=480 keeps sessions, and therefore CSRF tokens, valid for eight hours.
- Why do I get a 419 error on my login form?
- Almost always the session isn't persisting, so there's no token to verify against. Check that APP_URL and SESSION_DOMAIN match the URL you're visiting, that storage/framework/sessions is writable (for the file driver), and that your APP_KEY is set.
- How do I fix the 419 error with Livewire?
- Livewire sends the CSRF token automatically, so a 419 there usually means the session was lost: confirm @csrf is present in the page, the APP_KEY is set, and the session cookie is being stored. A stale tab after a deploy can also trigger it, a reload fixes that case.
- Is the 419 error the same as a CSRF token mismatch?
- Yes. 419 is the HTTP status Laravel returns when the CSRF token is missing or no longer matches the one in the session. "Page Expired" is just the friendly message shown for that status.