Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

andyandy's avatar

Problem with Laravel Sanctum and CSRF token mismatch. Laravel is rewriting correct cookie

I'm doing login with Laravel Sanctum cookies.

TLDR: Laravel is trying to rewrite my correctly generated and set xsrf-token cookie with another value.

  1. I will call /sanctum/csrf-cookie which will returns to me Set cookie: XSRF-TOKEN=eyJpdiI6ImZhQlJiYU5TRlhjbS9vRGRNYlVCMHc9PSIsInZhbHVlIjoiYTlqR1R0Q2Q1OXh4VTBmRzFlcFpULzFrWjlCZXRJQUpRb25WbTBtd3lqWUxqME45TmVNbFB3a01WRzJaR1M4V3ZpekExOVpnbDMva2svZ2M3UExIMGZ4bWg2SXBLWjdCL3NIaXZkdEdNNDI5Q1ZJS3lQaGZqWVZlV0kzVmVOWDYiLCJtYWMiOiJjNmM1ZGJlOTA5MWIzMWMyOWFkMDhkNGMyYjQ3N2MxZjE3ZGU2YzRmMjM2M2Y4MDIwMDQ0Y2M1NDdjZDQxOGNhIiwidGFnIjoiIn0=

  2. I will then use this in headers as x-xsrf-cookie: eyJpdiI6ImZhQlJiYU..... I will correctly log in. I can make other requests as logged in user. Everything is working.

But Laravel in every request (when I log in, when I make subsequent requests) returns Set Cookie: XSRF-TOKEN=UL5o7xLGYMIoP2yiouyh9leqv1CDMsZUkF9KbXKo and is trying to rewrite my correctly set cookie.

Basically I should keep forever that LONG token that I got at /sanctum/csrf-cookie but Laravel is trying to rewrite it with some short token every time I do some request.

0 likes
3 replies
andyandy's avatar

Consulting it with AI its telling me that all the routes that are secured by Sanctum should be excluded in VerifyCSRFToken.php. Really?

andyandy's avatar

When I'm sending request I'm sending:

Content-Type: application/json
Accept: application/json
X-XSRF-TOKEN: eyJpdiI6InRTeHQyUGRsaGJ5bzFBeUMydXllcGc9PSIsInZhbHVlIjoibDk3ZlE0UmY0c1pmQnU5VmoyUVVhNE0ydGwzRjA3a2lUN0pLaE11SUdYeDJQSGh0YWdYS0NnUFhQY0pHMzVvRjAxaEp1c29VZEN1WU4zTmo3UHhDWmJ3MVduejRqSVgrWUVqd2xHUVB2L091WHp0NllENmJuaTMvSEk3VXZvM2UiLCJtYWMiOiJmYWNmMTlmYWExZjIxMjcxYTRhZThjM2ExNGZhYjVlYzAzYjA3MTI5MzQ2OGVlOTM3N2I1NzAzZDg2Njg0YmZkIiwidGFnIjoiIn0=

And Laravel is responding to this request with:

...
Set-Cookie: XSRF-TOKEN=qoBYml6DCDYTIFkic0lt0xX16yudDyYrxrNX6Jdz; expires=Wed, 20 Mar 2024 13:02:12 GMT; Max-Age=7200; path=/; domain=127.0.0.1; samesite=lax;HttpOnly;Secure
...

Which is a completely different value.

Please or to participate in this conversation.