Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

CygnusDigital's avatar

Laravel 8 session ID not persisting (is set in cookie)

Hi all,

Hoping for a nice quick response!

I have a Laravel 8 setup using a Socialite OAuth2 provider. There is an Auth service working well to redirect people to login. register, logout and retrieve the user (OpenID) on login via the callback function.

The flow (all HTTPS) is my.site/login (sets the state into the users session) -> Redirect to auth.provider?with-state (login) -> Auth redirects to my.site/login/callback (here I want to retrieve the session)

However when I try to retrieve the session there is no session ID provided in the post request. It is there in the browser ( I can't provide pictures but its in my Web dev)

mysite_session :xHi80OXarF8DHhxkAgrC4aizwMz8bP1dV3p32mVE (HTTP Only, secure, domain is .my.site, path is /) I turned encrypted session off for debugging

I'm using the file session storage, the session file from the login redirect is present and correct (contains the data I set to it).

If I navigate to any app page (even if I leave the domain first) I see it in the request Cookie: XSRF-TOKEN=XodOr9mF1PYU4r4X7szMTtl8rPUWVbGA0M5wUGpO;mysite_session=xHi80OXarF8DHhxkAgrC4aizwMz8bP1dV3p32mVE

And I can retrieve it with the values set. however when I get returned from the auth domain (it posts the state and code from the user browser to Laravel) there is no Cookie: in the request header! It then just generates a new session that doesn't have my data in!

This is all before the call to Auth:login (happens after user is returned from callback).

All this is because the client is using multiple policies so I need to "remember a string" on login/register redirect so I know which policy to check grants against on callback.

As I say I can not post images but here would be a screenshot from the browser making a POST request to https://my.site/login/callback WITHOUT any Cookie header.

I'm well versed in PHP and session, I am 100% sure I have my session driver set up correctly, and as above I can see the files being created, data appended and everything, its just this post back to the callback does not seem to have it.

I am not totally familiar with Socialite so please, if anyone can help I'm at my desk 9am to 7pm GMT, can provide any details needed, I just don't get that when the browser gets back from Auth and it posts the state and code parameters to my app callback, it ignores the cookies that are set correctly on any other request...

Is this because the origin of the redirect is the auth domain and not the Laravel domain? Origin policies makes some sense but I'm a bit misty on these exp where Laravel and Oauth are concerned....

0 likes
1 reply
CygnusDigital's avatar

Geez

Spent hours trawling SO and here, Spent half an hour writing a detailed question with as much detail and debug as I coule.

Solved in 5 minutes after readying my own damned post

If it helps its all about the Origin policy and the cookie security.

i set same_site from Lax to None as per latest Chrome and Firefox advisories and it works.

I surmise that this is because the Post is instigated in the users browser by a different domain (the auth.domain) therefor it is deemed not same site.

I am not happy setting this to none though, I know what the auth domain is and it won't change so (here I'm looking for advise coz I'm foggy!) can I use Access-Control-Allow-Origin to allow just the auth server domain to set this cookie when it performs the post back to callback?

(also, my fellow peers, am I right here? I feel dumb and I really should know this but its been a blue moon since! A peer review and some X-site Allow Origin refreshers/links/tips would be most welcome!)]

Thanks for taking the time to read!!

Please or to participate in this conversation.