Why Is My CSRF Token Empty When Using Form::open()?

- 1 answer

I am just starting out so please forgive me. I have a solid grasp on CodeIgniter, so I understand what is going on. However, I am noticing that my CSRF token is empty when I am creating a form. I am working through the laracasts videos to get a gasp on Laravel workflow.


 {!! Form::open((array('action' => '[email protected]'))) !!}
 {{!! Form::close() !!}}

Here is what I am getting when I view the source:

<form method="POST" action="" accept-charset="UTF-8">
<input name="_token" type="hidden">

I've looked through the config directory, but see nothing on having to enable csrf. Is there an additional setting somewhere I need to update?

Thank you for your suggestions.


Even this gives me an empty hidden input field:

{{ Form::token() }}  // <input name="_token" type="hidden">


Here is what my controller looks like:

//use Illuminate\Http\Request;
use Request;
use App\Article;
use App\Http\Requests;
use App\Http\Controllers\Controller;

public function store(Request $request)
    $input = Request::all();

    return $input;

So my updated form tag looks like this:

{!! Form::open((array('action' => '[email protected]'))) !!}

When I submit, I can see the json response - the token is obviously empty.



The Laravel Fundamental series is for Laravel 5.0 so you have a few options. You can install Laravel 5.0 to continue with that series. In order to install L5.0, you need to run this command:

composer create-project laravel/laravel {directory} "~5.0.0" --prefer-dist

If you want to use Laravel 5.2 though (which I would recommend and Jeffrey Way will most likely release a series on this soon), there are several extra things to take into consideration.

First, put all your routes inside a "web" middleware group like this:

Route::group(['middleware' => ['web']], function () {

    // Put your routes inside here


In the past, there were several middlewares that ran on every request by default. In 5.2, this is no longer the case. For example, the token is stored in the session, but in 5.2, things like the "StartSession" middleware are not automatically applied. As a result, the "web" middleware need to be applied to your routes. The reason for this change in 5.2:

Middleware groups allow you to group several route middleware under a single, convenient key, allowing you to assign several middleware to a route at once. For example, this can be useful when building a web UI and an API within the same application. You may group the session and CSRF routes into a web group, and perhaps the rate limiter in the api group.

Also, in the Laravel Fundamental series, Jeffrey pulls in the "illuminate/html" package, but now, most people use the laravel collective package. They handle a lot of the Laravel packages that are taken out of the core. As a result, I would remove the "illuminate/html" package. In your composer.json file, remove "illuminate/html: 5.0" (or whatever is in the require section). Also, remove the corresponding service provider and form facades that you added to your config/app.php file.

To install the laravel collective version, add this in your composer.json file instead: "laravelcollective/html": "5.2.*-dev". Then, run composer update. Once that's done, in your config/app.php file, add this to your providers array:


and add this to your aliases array:

'Form' => Collective\Html\FormFacade::class,
'Html' => Collective\Html\HtmlFacade::class,

I hope I'm not missing anything else.