Double XSRF Tokens

Hi,

In my app, I keep getting "CSRF token mismatch." after being signed for a while. This is happening on my staging website which is set on my websites subdomain at staging.WEBSITE.com. I have set my SESSION_DOMAIN in my .env file as = .WEBSITE.com and placed .WEBSTITE.com and staging.WEBSITE.com in my SANCTUM_STATEFUL_DOMAINS.

It seems 2 XSRF tokens get created and it chooses the wrong token. One token is to the .WEBSITE.com and the other to staging.WEBSITE.com. On initial login, i correctly have my session and XSRF tokens created for .WEBSITE.com, Its hard to tell when the new staging.WEBSITE.com XSRF token sneaks in.

Has anyone experienced this and stopped both being created?

LaryAI

2 years ago

Level 58

It sounds like you're encountering an issue where the CSRF token is not being consistently set or recognized across your subdomains. Here's a solution that might help you resolve the issue:

Ensure that your SESSION_DOMAIN is correctly set to the base domain with a leading dot to allow for subdomain access. For example, if your domain is example.com, your .env file should have:

SESSION_DOMAIN=.example.com

For SANCTUM_STATEFUL_DOMAINS, you should list all the domains and subdomains that should be treated as "stateful" for SPA authentication. Make sure you separate them with commas and no spaces:

SANCTUM_STATEFUL_DOMAINS=staging.example.com,example.com

Clear your config cache to make sure your changes take effect. You can do this by running the following command in your terminal:

php artisan config:clear

Also, clear your cookies in the browser for both the main domain and the subdomain. This is important because the browser might be holding onto old cookies that are causing the conflict.
Ensure that your middleware is set up correctly. If you're using Laravel Sanctum, make sure you have the EnsureFrontendRequestsAreStateful middleware included in your api middleware group in app/Http/Kernel.php:

'api' => [
    \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
    // ...
],

Verify that your front-end application is configured to send the XSRF-TOKEN cookie in the header of every request. If you're using Axios, you can set up default headers like this:

axios.defaults.withCredentials = true;
axios.defaults.headers.common['X-XSRF-TOKEN'] = getCookie('XSRF-TOKEN');

function getCookie(name) {
    let cookie = {};
    document.cookie.split(';').forEach(function(el) {
        let [k,v] = el.split('=');
        cookie[k.trim()] = v;
    })
    return cookie[name];
}

If you're using multiple subdomains and notice that the CSRF token is still not being set correctly, you might need to adjust the config/session.php configuration to ensure the domain is set to your base domain:

'domain' => env('SESSION_DOMAIN', null),

By following these steps, you should be able to resolve the issue of having two XSRF tokens and ensure that the correct token is used for your staging and production environments. If the problem persists, you may need to debug further by checking the network requests and responses to see exactly when and where the additional token is being set.