Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

CueTracker's avatar

Authentication on AJAX endpoint

I want to run certain requests through a subdomain, some of which are AJAX-calls requiring authentication. This seems to work, even in Ajax-calls, except when combining it with a middleware which uses auth()->check(). This returns false persistently, regardless of any CORS rules I set or which session driver I use. It's starting to drive me a bit insane :) Suggestions would be most welcome!

config/cors.php:

    'paths' => ['*'],

    'allowed_methods' => ['*'],

    'allowed_origins' => [
        'https://subdomain.domain.test',
        'https://domain.test',
    ],

    'allowed_origins_patterns' => [],

    'allowed_headers' => ['*'],

    'exposed_headers' => false,

    'max_age' => false,

    'supports_credentials' => true,

config/sessions.php:

    'driver' => env('SESSION_DRIVER', 'redis'),

    'lifetime' => env('SESSION_LIFETIME', 120),

    'expire_on_close' => false,

    'encrypt' => false,

    'files' => storage_path('framework/sessions'),

    'connection' => env('SESSION_CONNECTION', 'sessions'),

    'table' => 'sessions',

    'store' => env('SESSION_STORE', null),

    'lottery' => [2, 100],

    'cookie' => env(
        'SESSION_COOKIE',
        Str::slug(env('APP_NAME', 'laravel'), '_') . '_session'
    ),

    'path' => '/',

    'domain' => env('SESSION_DOMAIN', null),

    'secure' => env('SESSION_SECURE_COOKIE', null),

    'http_only' => true,

    'same_site' => 'lax',
0 likes
3 replies
bobbybouwmann's avatar

Well, ajax requests don't have a session set by default, unless they are fired from the same domain where you logged in using a session.

So my best bet is that you fire these calls from the subdomain, but the session is only set on the main domain. You can fix this in Laravel by setting the domain value in your config/sessions.php

'domain' => '.example.com',

Notice the . before the domain name. This makes the session available to the main and all subdomains. To make this work you need to log in again to set the session correctly.

1 like
CueTracker's avatar

Thanks Bobby, I should have clarified that in the code I included, I do actually have the domain set as you describe :)

Please or to participate in this conversation.