Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello guys!
I'm trying to deploy a nuxt application with a Laravel backend into production. The application uses nuxt-authentication and laravel sanctum via cookies (not JWT). So far so good, everything works... except authentication and post requests. I have everything set according to the documentation and I don't know where I could have made a mistake. The only possibly unusual thing is that I configured NGinX to refer domain.com/ to Nuxt, but domain.com/api/* and (/login + /logout + /sanctum/csrf-cookie) to refer my Laravel API.
When I trying to login, Nuxt send request to /sanctum/csrf-cookie and then to /login. CSRF response back normally like on my localhost, but the browser do not set the cookie in memory. And the /login obviously return with a 419 (csrf mistmach).
Do you know where the problem might be?
Laravel .env
BROADCAST_DRIVER=log
CACHE_DRIVER=file
QUEUE_CONNECTION=sync
SESSION_DRIVER=cookie
SESSION_LIFETIME=120
SESSION_DOMAIN=https://my-domain.com
SANCTUM_STATEFUL_DOMAINS=https://my-domain.com
MEMCACHED_HOST=127.0.0.1
Nuxt config
auth: {
strategies: {
laravelSanctum: {
provider: 'laravel/sanctum',
url: process.env.BASE_URL,
},
},
},
axios: {
baseURL: process.env.BASE_URL,
credentials: true,
headers: {
Accept: 'application/json',
'Content-Type': 'application/json',
},
},
I figured it out. For some reason I had toto change session domain in my .env, from https://domain.com to just domain.com. And also change property 'same_site' in config/session.php from 'lax' to 'strict'.
It wasn't problem with Laravel or Nuxt, it was browser issue, because it "rejected cookie for invalid domain"
Please or to participate in this conversation.