Level 63
You have to set the SESSION_DOMAIN to .domain.com in the .env file.
SESSION_DOMAIN=.domain.com
1 like
Aug 7, 2024
9
Level 6
Help with CORS Issue: Frontend at https://domain.com and Subdomains, Laravel CORS Configuration Issue
I'm facing a CORS issue with my frontend at https://domain.com and its subdomains. My CORS configuration in Laravel looks like this:
return [
'paths' => ['api/*', 'sanctum/csrf-cookie'],
'allowed_methods' => ['*'],
'allowed_origins' => ['*'],
'allowed_origins_patterns' => ['/^https:\/\/([a-z0-9-]+\.domain\.com)$/'],
'allowed_headers' => ['*'],
'exposed_headers' => [],
'max_age' => 0,
'supports_credentials' => false,
];
The error I get is: "Access to XMLHttpRequest at 'https://backend.domain.com/api/v1/auth/login' from origin 'https://domain.com' has been blocked by CORS policy."
Could someone help me identify what's wrong with this configuration?
Level 6
@vincent15000 Thanks, but it's same
1 like
Level 35
Instead of adding the allowed_origins_patterns add the url to the allowed origins.
return [
'paths' => ['api/*', 'sanctum/csrf-cookie'],
'allowed_methods' => ['*'],
'allowed_origins' => ['https://domain.com'],
'allowed_origins_patterns' => [],
'allowed_headers' => ['*'],
'exposed_headers' => [],
'max_age' => 0,
'supports_credentials' => false,
];
Here is a nice explanation on the topic by cdruc: https://www.youtube.com/watch?v=VW5fWPxv7Ak
2 likes
Level 6
@prasadchinwal5 Thanks, but in my case my frontend support wildcard subdomain so the request maybe from https://domain.com or https://*.domain.com
1 like
Level 63
Are you using Sanctum ? Passport ? Something else ?
Is the authentication stateful ? stateless ?
1 like
Level 6
@vincent15000 I'm using sanctum with stateless, but I solved the issue, I have an exception and it cause that
1 like
Level 63
@ShadyarBzharOthman Ok .. so you can close the post.
1 like
Level 1
Your config/cors.php configuration looks good, but there are a few points to address:
allowed_origins and allowed_origins_patterns: Since you want to allow both the main domain and its subdomains, you can use allowed_origins_patterns with a regular expression to match them. The allowed_origins setting can be left as ['*'] to simplify, but it's typically better to be more specific for security reasons.
supports_credentials: If you are using cookies or other credentials with your requests, you should set this to true. If not, you can leave it as false.
Here's a refined version of your config/cors.php configuration:
return [
'paths' => ['api/*', 'sanctum/csrf-cookie'],
'allowed_methods' => ['*'],
'allowed_origins' => ['*'], // You can restrict this to specific origins if needed
'allowed_origins_patterns' => [
'/^https:\/\/([a-z0-9-]+\.domain\.com)$/'
],
'allowed_headers' => ['*'],
'exposed_headers' => [],
'max_age' => 0,
'supports_credentials' => true, // Set to true if you need to support credentials
];
Additional Tips: Testing: Ensure that your browser is not caching old CORS configurations. You might want to test using Incognito mode or clear your browser cache.
Network Tab: Use your browser's developer tools (Network tab) to inspect the CORS headers in requests and responses to verify that the CORS settings are being applied correctly.
Debugging: If you still encounter issues, consider enabling detailed error messages in Laravel or using tools like Postman to test CORS headers independently of your frontend.
This configuration should help you manage CORS properly for your main domain and its subdomains. If you have any more questions or run into issues, feel free to ask!
2 likes
Level 6
@techigator Thank you very much, I solved!
Please or to participate in this conversation.