Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Rjonwal's avatar

How to block laravel_session and XSRF-TOKEN cookies until the user accepts/allow it in laravel 5.8

Need help urgently . I have a laravel site with 5.8version, Its run in europe country. So according to eu cookies law we can not store laravel cookies untill user accept/allow them. But laravel store default laravel_session & XSRF-TOKEN into user browser on load.

How can i stop it without untill user accept / allow them . After user accept cookies then laravel_session & XSRF-TOKEN will be stored.

I already tried "spatie/laravel-cookie-consent" package , but it is not worth it

someone in laravel community , please help me asap.

0 likes
5 replies
Snapey's avatar

I think you are overly concerned. Those cookies don't contain anything that is capable of tracking the user.

And for clarity, the regulations relate to the rights of EU citizens and where your server is located is totally irrelevant

Rjonwal's avatar

According to Eu Law website can not store any kind of data on user's browser

how can we do this in LARAVEL

tisuchi's avatar

@rjonwal I would say, simply comment out session and cookies related classes in app\Http\Kernel.php.

\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,

But I totally agreed with @snapey that you are overly concerned. By default, it doesn't store any user trackable information that he mentioned. I don't think it will break any law.

AcidDiz's avatar

Hi maybe I am late.. You don't need to do that. Those are session cookies and you don't need the users permission, you just need to inform users that without those cookies your application won't work. Take a look here. https://gdpr.eu/cookies/

martinbean's avatar

Indeed. You can use session cookies without consent. The pertinent part from that article:

Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.

Consent is required for analytics and advertising tracking cookies, though. And they should at no point contain personally-identifiable information (such as name, email address, etc).

3 likes

Please or to participate in this conversation.