Merge pull request #7528 from barryvdh/patch-9

Allow both encrypted + unencrypted CSRF header token

src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php

@@ -54,12 +54,14 @@ public function handle($request, Closure $next)
 	 */
 	protected function tokensMatch($request)
 	{
-		$token = $request->session()->token();
+		$token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
 
-		$header = $request->header('X-XSRF-TOKEN');
+		if ( ! $token && $header = $request->header('X-XSRF-TOKEN'))
+		{
+			$token = $this->encrypter->decrypt($header);
+		}
 
-		return StringUtils::equals($token, $request->input('_token')) ||
-		       ($header && StringUtils::equals($token, $this->encrypter->decrypt($header)));
+		return StringUtils::equals($request->session()->token(), $token);
 	}
 
 	/**