Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Danredoros's avatar

Laravel 10 / Inertia Authentication does not work on production

I created an application with Laravel 10 and Inertia. On the local server everything works fine. I have not had any problems.

In production, on the other hand, several problems have arisen. The latest is authentication. It basically does not create the session. The write permissions have been set on the server framework/session. I have also tried creating other types of sessions, but it does not work. I cannot understand why.

Here the code used

  //Route
Route::post('/auth/login',[\App\Http\Controllers\Auth\AuthController::class,'store'])->name('admin.auth.store');

//Controller
if (!Auth::attempt($request->validate([
        'email' => 'required|string|email',
        'password' => 'required|string'
    ]), true)) {
        throw ValidationException::withMessages([
            'email' => 'Authentication failed'
        ]);
    }

    $request->session()->regenerate();
    return redirect()->route('home');

The code works locally but not on the server.

1 like
3 replies
alden8's avatar

There could be several reasons why sessions are not working on your production server. Here are a few things you can check:

  1. Environment Variables: Make sure that your .env file on the production server is correctly configured, especially the SESSION_DRIVER, SESSION_LIFETIME, SESSION_DOMAIN, SESSION_SECURE_COOKIE and APP_URL variables.

  2. Session Files Permissions: You mentioned that you have set write permissions on the framework/sessions directory. Make sure that the web server user (often www-data for Apache and nginx for Nginx) has read and write permissions.

  3. Session Configuration: Check your config/session.php file and ensure that it's correctly configured. The driver should match the SESSION_DRIVER in your .env file.

  4. Cookie Domain: If your application is under a subdomain, you might need to set the SESSION_DOMAIN in your .env file to your root domain with a preceding dot, like .yourdomain.com.

  5. HTTPS and Secure Cookies: If your production site is served over HTTPS, but your SESSION_SECURE_COOKIE is set to false, it might cause issues. Try setting SESSION_SECURE_COOKIE=true in your .env file.

  6. Cache Configuration: Try clearing your configuration cache using php artisan config:clear on your production server.

  7. Server Configuration: Some server configurations or security modules (like Suhosin for PHP) can interfere with sessions. Check your server's error logs for any indications of this.

Remember to restart your server or reload your PHP-FPM service after making changes to your .env file or configuration files.

Danredoros's avatar

Thank you for the explanations. I followed the instructions except for point 2 and 7 because I do not have access to these types of actions. So far the result is negative. I always get the same error.

Danredoros's avatar

I had a look at the servers logs and I found this. Maybe it can help...

2024-01-12 05:16:47	Error	125.209.235.169	[client 125.209.235.169] ModSecurity: Access denied with code 406 (phase 2). Matched phrase "Yeti" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/conf.d/00_mod_security.conf"] [line "19"] [id "101"] [rev "1.0.33"] [msg "Bot blocked"] [severity "ALERT"] [hostname "ecommerce.deniswebapp.ch"] [uri "/robots.txt"] [unique_id "ZaC9L1CYIA6z9o62BLGpXwAAABc"]
2024-01-12 05:16:50	Error	211.249.46.176	[client 211.249.46.176] ModSecurity: Access denied with code 406 (phase 2). Matched phrase "Yeti" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/conf.d/00_mod_security.conf"] [line "19"] [id "101"] [rev "1.0.33"] [msg "Bot blocked"] [severity "ALERT"] [hostname "ecommerce.deniswebapp.ch"] [uri "/"] [unique_id "ZaC9Ms1MqZmTZaWzQ0XG6gAAAAQ"]

Please or to participate in this conversation.