Laravel 5 – exclude CSRF Verification for specific routes

The Situation

Laravel 5 comes with Crsf Verification set up and active out of the box. This in itself is what I’d describe as pure awesomeness. It means that automatically all your routes are protected from Cross-Site Request Forgery, which is what CSRF stands for, really.

This post nicely explains how the CSRF verification works and actually does give a solution as to how to exclude routes, I came up with my solution because of this post actually  🙂

Take a look at the above mentioned post for a better understanding of how CSRF Verification is done in Laravel

The Problem

Simply, all routes are protected and checked for a CSRF token any time that route is used. That is not necessarily a problem, or the problem.

The problem I had was the fact that my login route was also throwing a TokenMismatchException if the login page was displayed for longer than the session length, or my browser loaded a cached version of the login page when I go to the login URL.

My Solution

I’ll do a little explanation here. In the VerifyCsrfToken Middleware, there’s a handle method that calls the parent handle method of the Illuminate\Foundation\Http\Middleware\VerifyCsrfToken class which it extends. The handle method does it’s checks and either throws the TokenMismatchException or calls a method that adds a cookie to the request and passes it on.

This is what my VerifyCsrfToken.php Middleware looks like now:

<?php namespace App\Http\Middleware; use Closure; use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier; class VerifyCsrfToken extends BaseVerifier { /** * Array with list of routes to be excluded from the CSRF Verification */ private $excludedRoutes = [ 'auth/login' ]; /** * Handle an incoming request. * * @param \Illuminate\Http\Request $request * @param \Closure $next * @return mixed */ public function handle($request, Closure $next) { if( $this->excludedRoute( $request->path() ) ){
          return parent::addCookieToResponse($request, $next($request));

      return parent::handle($request, $next);

  * Check if a route is excluded from CsrfVerification
  * @param $route The route to check
  * @return boolean
  private function excludedRoute($route){
      for ($i=0; $i < sizeof($this->excludedRoutes); $i++) {
          if($route == $this->excludedRoutes[$i])
              return true;

      return false;


What I did here is to add an array, excludedRoutes, to the class and a excludedRoute method which takes a String (the path )as a parameter and returns a boolean telling me whether the route passed to it is part of the excluded routes. If it is, I then return the parent CsrfVerification class’ addCookieToReponse method like it would on a verified route else return the parent’s handle method and that’s it!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s