API Calls Made By Logged In Users Create New Session

Front-End: example.com

Laravel App: api.example.com:8000

Note: api.example.com:8000 is on a subdomain of example.com, and both live on separate servers.

Users are logged into app.com (Auth::login()) via Laravel Socialite's OAuth 2.0 flow.

If I create a route such as:

Route::any('/userinfo', function(Request $request) {

    $user = Auth::check();

    return response()->json($user)->header("Access-Control-Allow-Origin",  "*")->header("Access-Control-Allow-					Headers", "*")->header("Access-Control-Allow-Methods", "GET, POST, OPTIONS");

});

Here are two scenarios:

1. The logged in user accesses the /userinfo route from their browser at api.example.com:8000/userinfo

The route responds with true and no new sessions are created. This is expected and desired behavior

2. The user who is logged into api.example.com:8000 visits example.com, and example.com makes an API call via axios:

NOTE: THIS ROUTE IS IN web.php

    // Make a request for a user with a given ID
    axios.get('http://api.example.com:8000/userinfo', {withCredentials: true})
    .then(function (response) {
      // handle success
      console.log(response);
    })
    .catch(function (error) {
      // handle error
      console.log(error);
    })
    .then(function () {
      // always executed
    });

Response from api.example.com:8000

 {
"id":1,
name":"doe, john",
"email":"[email protected]",
"email_verified_at":null,
"created_at":"2022-05-04T17:43:37.000000Z",
"updated_at":"2022-05-04T17:43:37.000000Z"
}

Unexpected Behavior

Each time the Axios API call is sent, a new session is created in Laravel (using file driver)

What's Going On?

• Why is the new session created?
• Why am I still able to get the userinfo shown above when a new session is created?