Laravel and laravel-echo-server TokenMismatch about laravel-echo-server HOT 20 CLOSED

I have same problem. TokenMismatchException, and if i disable csrf the request user is null. I'm using different domain on websocket, and the webserver, I'm using a subdomain with different IP address for the websocket (https://ws.example.com:443). I must use another domain on port 443, because some on some networks has been disabled every port except the main ports (HTTP, HTTPS, IMAP, POP3, etc).

Update: I solved the problem: changed session.php 'domain' changed to: .example.com

from laravel-echo-server.

It's funny when years later you have the same problem and you bump on your own issue only to find a solution from 3 hours ago. Thank you @marothyzsolt 💯

from laravel-echo-server.

Yes you must connect to the web socket over the same domain as the app to share cookies, or use state less login with jwt headers or something.

from laravel-echo-server.

Tip, try something like this in your client side code:

window.Echo = new Echo({
broadcaster: 'socket.io',
host: window.location.hostname + ':6001'
});

from laravel-echo-server.

https://laravel.com/docs/5.3/broadcasting#introduction

CSRF Token

Laravel Echo will need access to the current session's CSRF token. If available, Echo will pull the token from the Laravel.csrfToken JavaScript object. This object is defined in the resources/views/layouts/app.blade.php layout that is created if you run the make:auth Artisan command. If you are not using this layout, you may define a meta tag in your application's head HTML element:

<meta name="csrf-token" content="{{ csrf_token() }}">

Also in bootstrap.js assuming you're using Vue resource to send the requests should have

/**
 * We'll register a HTTP interceptor to attach the "CSRF" header to each of
 * the outgoing requests issued by this application. The CSRF middleware
 * included with Laravel will automatically verify the header's value.
 */

Vue.http.interceptors.push((request, next) => {
    request.headers['X-CSRF-TOKEN'] = Laravel.csrfToken;

    next();
});

from laravel-echo-server.

@ctf0 Thanks! I wasn't having the issue it was @sidis405 .

Hopefully he got sorted.

from laravel-echo-server.

I've faced this issue on my local dev environment.
In my case I solved it by replacing 127.0.0.1 by localhost.

On production I've faced the same problem but finally resolved it by doing this :

1. adding this to Echo object :

2. Adding my websocket server subdomain to env variable like this :
   SESSION_DOMAIN=submodain.org

subdomain.org without the prefixes like www or anything else.

Notes: My laravel-echo version is 1.6.1

I hope this will helps somebody.
Thanks to @barryvdh and @marothyzsolt , your comments help me so much.

from laravel-echo-server.

@jonnywilliamson the Laravel.csrfToken wont work unless u have the script part in the layout file to bind it so instead u can use

Vue.http.interceptors.push((request, next) => {
    const csrfToken = document.querySelector('meta[name="csrf-token"]').getAttribute('content')
    request.headers.set('X-CSRF-TOKEN', csrfToken);
    next();
});

from laravel-echo-server.

@sidis405 Did you find the solution? I'm having the same issue.

from laravel-echo-server.

I just ignored the CSRF protection on the broadcasting route.. But CSRF protection works for me out of the box when I do this: <meta name="csrf-token" content="<?= csrf_token() ?>" /> in the <head>, only problem is that it expires after inactivity

from laravel-echo-server.

Is you authentication domain exactly the same as the app you're viewing? Can you verify that the Cookies are sent with your Socket (eg. open the WebSocket tab in Chrome dev tools and view the request headers)

from laravel-echo-server.

i have the same problem.
i think the laravel-echo-server sent the request with new session.
and if i disable CSRF verification middleware , the request->user() is return null.
this is the problem.

from laravel-echo-server.

See my questions in previous comment.
If no valid cookies are sent, the session id isn't correctly passed through and will generate a new session.

from laravel-echo-server.

please see the snapshot.

from laravel-echo-server.

So no laravel session cookies. What if you visit the website also on http://localhost instead of 127.0.0.1?

from laravel-echo-server.

thanks for your help @barryvdh , the problem fixed .
i'm must access the application used localhost not the ip .
this is the problem.

from laravel-echo-server.

I am getting a TokenMismatch too, I have gone into echo.js (laravel-echo) to see what happens when the request is sent and i logged out the outgoing request headers. It is adding in the CSRF token itself which is great.

Authorization:"Bearer blahblah"
X-CSRF-TOKEN:"ix7T4lZA9mfCxrd9jDAbeGvSglMeoge7X7fG8LLi"

However, when the auth tries to authenticate I am getting

Client can not be authenticated, got HTTP status 419

Which looking at HttpException refers to TokenMismatch. Is there any reason why even with the CSRF token in place that i would get a mismatch?

This is when trying to access a private channel. My entire call looks like this:

window.Echo = new Echo({
    broadcaster: 'socket.io',
    host:  'http://external.dev:6001',
    auth: {
        headers: {
            Authorization: 'Bearer blahblah'
        }
    },
});

from laravel-echo-server.

Hey there, this issue was opened a while ago. I'm going to close this issue, if this issue still exists, please open a new issue or open a Pull Request.

from laravel-echo-server.

thanks @marothyzsolt .. You save my live in 2020.. :D

from laravel-echo-server.

i set localhost and ip and APP_URL and host to 0.0.0.0 thhen i send CSRF token
some time may thay have diffrent destination that why i set them in one (0.0.0.0) and it works !
and csrf like this

    window.Echo = new MyEcho({
        broadcaster: 'socket.io',
        host: '0.0.0.0:6001', // this is laravel-echo-server host
        auth:{
            headers: {
            'X-CSRF-TOKEN': '{{csrf_token()}}'
        }}

    });

from laravel-echo-server.