Laravel 10: request()->cookies->all() empty on one subdomain but not others (cookies present in browser)

Hi all,

I’m seeing a very odd Laravel/Symfony behavior related to cookies and subdomains, and I’m hoping someone recognizes this pattern.

Setup (simplified): Laravel 10, PHP 8.3 Multiple subdomains on the same app: staging.website.us = works staging-pages.website.us = works staging-account.website.us = broken Same Apache vhost and PHP-FPM pool for all subdomains Session cookie domain: .website.us All routes use the web guard

The problem: On staging-account.website.us only: Browser sends cookies correctly $_COOKIE contains all expected cookies bin2hex($_SERVER['HTTP_COOKIE']) is identical to working subdomains BUT request()->cookies->all() is an empty array Auth::check() fails on protected routes On the other subdomains: request()->cookies->all() contains the expected cookies Sessions and auth work normally

Important details: The same encrypted session cookie (session_cookie) is present on all subdomains Crypt::decryptString($_COOKIE['session_cookie']) works everywhere However, session()->getId() differs between working and non-working subdomains There is only one active session row in the database (the working one)

Debugging notes: Early middleware logging shows cookies present By the time the controller runs on the broken subdomain, the Symfony cookie bag is empty No guard mismatch (web everywhere) Removing auth / verified middleware makes no difference Dev environment does not reproduce the issue (same subdomain pattern)

Question: What could cause Symfony’s request cookie bag to be empty on only one subdomain, even though: The browser sends cookies correctly PHP $_COOKIE is populated The session cookie domain is .website.us

Is there anything in Laravel or Symfony that conditionally drops cookies based on host, request normalization, or trusted proxies?

Any insight would be hugely appreciated — I’m clearly missing something fundamental here.

Thanks!