Keep the same laravel_session between api requests

I am working on an authentication workflow with Laravel Passport, but the laravel_session cookie changes every time, which is causing issues.

I am not sure how to fix it. And this is what I've tried so far:

In app.php:

$middleware->api([
            \Illuminate\Session\Middleware\StartSession::class,
        ]);

In my .env file:

SESSION_DRIVER=database
SESSION_DOMAIN=site.test
SESSION_SAME_SITE=none
SESSION_SECURE_COOKIE=false
SESSION_LIFETIME=120

Has anyone managed to keep the same cookie in all api requests of a logged-in user?

LaryAI

1 year ago

Level 58

To maintain the same laravel_session cookie across API requests in a Laravel application, you need to ensure that the session is properly configured and that the session middleware is correctly applied to your API routes. Here are some steps and considerations to help you achieve this:

Session Configuration:

Ensure your session configuration in the .env file is set up correctly. You have already set some of these, but let's review them:
```
SESSION_DRIVER=database
SESSION_DOMAIN=site.test
SESSION_SAME_SITE=none
SESSION_SECURE_COOKIE=false
SESSION_LIFETIME=120
```
- SESSION_DRIVER=database: This is fine for storing sessions in the database. Ensure your sessions table is migrated and available.
- SESSION_DOMAIN=site.test: This should match the domain you are accessing your API from.
- SESSION_SAME_SITE=none: This is necessary if you are making cross-site requests.
- SESSION_SECURE_COOKIE=false: Set this to true if you are using HTTPS.
- SESSION_LIFETIME=120: This is the session lifetime in minutes.
Middleware Configuration:

Ensure that the session middleware is applied to your API routes. You can do this by modifying your api.php routes file or by creating a middleware group in Kernel.php.

In app/Http/Kernel.php, you can create a middleware group for your API routes:
```
protected $middlewareGroups = [
    'api' => [
        \Illuminate\Session\Middleware\StartSession::class,
        'throttle:api',
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
    ],
];
```
Make sure that StartSession middleware is included in the api middleware group.
CSRF Token:

If you are using sessions with API requests, you might need to handle CSRF tokens. Ensure that your requests include the CSRF token if necessary, or consider excluding your API routes from CSRF protection if appropriate.
CORS Configuration:

If your API is accessed from a different domain, ensure that CORS is configured correctly. You can configure CORS in config/cors.php:
```
'paths' => ['api/*'],
'allowed_methods' => ['*'],
'allowed_origins' => ['*'],
'allowed_origins_patterns' => [],
'allowed_headers' => ['*'],
'exposed_headers' => [],
'max_age' => 0,
'supports_credentials' => true,
```
Setting supports_credentials to true is important for sending cookies with cross-origin requests.
Testing:

After making these changes, clear your application cache and test your API requests to ensure the session cookie remains consistent:
```
php artisan config:cache
php artisan route:cache
php artisan view:cache
```

By following these steps, you should be able to maintain the same laravel_session cookie across your API requests. If issues persist, double-check your domain settings and ensure that your client-side requests are correctly configured to send cookies.