Laravel unexpected redirects ( 302 )

I encountered an issue with 302 Redirects when posting ajax requests. The solution in this case was to remember to include the CSRF token.

See the Laravel 5.4 documents here: https://laravel.com/docs/5.4/csrf

After several hours of hair pulling, I have found my answer -- and it's silly.

The problem is that the route user.profile has a path user/{uid?} and it matches both user/logout and user/add as paths.

It being before the others, and not having a regex or similar, it handled the route.

I still don't know why a 302 was generated for that page, but found that moving it out of the AuthController and into the UserController (where it should be from the start) fixed the behavior.

Thus, my (amended and working) routes now look like so:

Route::group(['middleware' => 'web'], function () {
  // Authentication Routes...
  Route::get( 'user/login',  ['as' => 'user.login',     'uses' => 'Auth\AuthController@showLoginForm']);
  Route::post('user/login',  ['as' => 'user.doLogin',   'uses' => 'Auth\AuthController@login'        ]);

  Route::group(['middleware' => 'auth'], function() {
    // Authenticated user routes
    Route::get( '/',     ['as'=>'home', 'uses'=> 'HomeController@index']);
    Route::get( '/home', ['as'=>'home', 'uses'=> 'HomeController@home']);
    Route::get( 'user/logout', ['as' => 'user.logout',    'uses' => 'Auth\AuthController@logout'  ]);

    // *** Added /profile/ here to prevent matching with other routes ****
    Route::get( 'user/profile/{uid?}', ['as' => 'user.profile',   'uses' => 'UserController@profile' ]);
    Route::get( '/user/add',           ['as' => 'user.add',       'uses' => 'UserController@showAddUser']);

    [...]
    });
});

I got the same issue and i solved it by adding the header with accept:'application/json'. And I think I checked the source code before which indicates that if you don't add this, it might redirect when you are using the auth middleware. But I am not sure if it is the case and I cannot recall where i found this.

For me it was guest middleware!

This middleware redirects user to homepage if authenticated. You don't have to use it for Api requests. So I removed it and the problem solved.

May be default redirect page after logout is home and seems like you do not have home in your web route. Try the below code in your AuthController.php

use AuthenticatesAndRegistersUsers, ThrottlesLogins; // after this line
$redirectAfterLogout = 'login' // add this line

This will redirect you to login page after logout. You can change it to any route if you wish. I used login as an example.

OR

You can change after logout route in \vendor\laravel\framework\src\Illuminate\Foundation\Auth\AuthenticatesUsers.php

public function logout()
    {
        Auth::logout();

        return redirect(property_exists($this, 'redirectAfterLogout') ? $this->redirectAfterLogout : 'login');
    }

I changed the default route to login. If you don't have $redirectAfterLogout in your AuthController.php it will look here for redirect path. I don't suggest people to edit here, it's kind of hard coding.

I had this issue and it turned out I had a route:redirect inside my ajax controller. which doesn't make sense because obviously we have to return ajax but I was returning a route!

I too experienced this issue in the login page which worked fine previously. So thought have a look at the directory permissions and it resulted the following:

drwxr-xr-x  7 user user     4096 Jun 27  2019 storage

So storage directory has 755 permission which means only the owner has write access, Since that directory owned by "user" others like laravel can't write into it.

Changing the directory to 777 with this cmd resolved my issue:

sudo chmod 777 -R PROJECT_PATH/storage

The right way,

Since making that directory world-writable isn't the right way, make that directory owned by apache and set 775 to storage.. and it worked again.

sudo chown -R user:www-data PROJECT_PATH/storage
sudo chmod 775 -R PROJECT_PATH/storage

I use a lot ajax (get & post) and with every response I update the token with session()->regenerate() on the server, then on the client side I update every token field with js. But last week, I delete by mistake the one liner function to do that. So, suddenly the system starts to give a 302 response after the second call. It was so hard to find what was going on, because it works sometimes (firstime) and sometimes don't. After I realize it was a token mismatch, I struggle a couple of days trying to find why, because the response don't point a token mismatch, just the 302 redirect. Finally, I find the problem by dd() both tokens on the tokensMatch() function. I don't know why it won't trigger a TokenMismatch.

I hope this anecdote help you.

For me it was this in my controller:

public function __construct()
{
   $this->middleware('admin');
}

For me it was config/session.php

I changed some values there for production app like path, secure, same_site

But on local due to http://localhost, Secure session was failing to create any cookies.

That's why Authenticate middleware redirecting to login page with status 302

If your website doesn't use HTTPS you have to define the following attribute in your .env

SESSION_SAME_SITE=Strict

Note: this precaution applied by some browsers to prevent exploit website's users