Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

abixalmon@me.com's avatar

[Laravel 5.1] Disable Session and Cookies for some routes

I would like to disable following middlewares for my api routes

\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,

How should i do it without breaking anything?

0 likes
5 replies
bestmomo's avatar

@abixalmon

Maybe you can add a constructor to Kernel to manage $middleware stack :

<?php namespace App\Http;

use Illuminate\Routing\Router;
use Illuminate\Contracts\Foundation\Application;

use Illuminate\Foundation\Http\Kernel as HttpKernel;

class Kernel extends HttpKernel {

    public function __construct(Application $app, Router $router)
    {
        $url = \Illuminate\Http\Request::capture()->url();

        // Change $middleware property depending on $url

        parent::__construct($app, $router);
    }

...
abixalmon@me.com's avatar

Doesn't work getting error 500. I think the request object cannot be initialized

bestmomo's avatar

I have checked it in a project and it works.

abixalmon@me.com's avatar
[email protected]
OP
10 years ago
Best Answer
Level 14

I did it easily

    protected $middleware = [
    ...
        \App\Http\Middleware\ApiMiddleware::class,
        \Illuminate\Session\Middleware\StartSession::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \App\Http\Middleware\VerifyCsrfToken::class,
    ];

<?php

namespace App\Http\Middleware;

use Closure;

class ApiMiddleware
{
    protected $except = [
        'api/*'
    ];

    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request $request
     * @param  \Closure $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        foreach ($this->except as $except) {
            if ($request->is($except)) {
                config()->set('session.driver', 'array');
            }
        }
        return $next($request);
    }
}

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        'api/*'
    ];

    public function handle($request, Closure $next)
    {
        foreach ($this->except as $except) {
            if ($request->is($except)) {
                return $next($request);
            }
        }

        return parent::handle($request, $next);
    }
}
2 likes
AnotherSamPower's avatar

In 5.4 on you can set a SESSION_DOMAIN .env variable to any value you like. Then the domain must begin with that to be using the cookies.

SESSION_DOMAIN=admin

So the site must be site_url/admin to have cookies working. I've used this on a site as I only want to use cookies on the admin part of the site.

Please or to participate in this conversation.