InCo2025's avatar

Sanctum Cookies 500 Error without response

Hey Guys, I have a vue frontend running via docker and nginx and a laravel 12 application as my backend working as an api and a little admin panel. I'm currently switching from tokens to cookies (which was working fine). I've followed the instructions of the laravel documentation.

Here is the behavior: I can fetch the sanctum cookie and login. Then when I send a request to a route protected by auth:sanctum I get encounter a 500 error without any response. There is no information about it in the log files apart from the request itself showing 500 Get Request. The api shows 500 after that, I need to remove the session entry in the cookies again or use incognito tab to be able to see the api in the browser again.

I've tried a lot of different configurations (using different session_drivers as an example) , but nothing seemed to help. Does anyone know what to do?

Thank you for your help in advance!

0 likes
4 replies
LaryAI's avatar
LaryAI
AI
5 months ago
Level 58

Certainly! A 500 error with Sanctum using cookie authentication in a Docker/Nginx/Laravel setup frequently points to a misconfiguration either at session/cookie, CSRF, or CORS level. Here’s a step-by-step way to diagnose and solve your issue:

1. Double-Check Your SANCTUM and SESSION Config

.env config:

SESSION_DRIVER=cookie
SESSION_DOMAIN=.yourdomain.com        # match your frontend domain, start with dot for subdomains
SANCTUM_STATEFUL_DOMAINS=localhost,127.0.0.1,frontend.yourdomain.com
SESSION_SECURE_COOKIE=true            # must be true if using HTTPS

Make sure to replace yourdomain.com and the frontend domain with your actual values.

2. Correct Frontend Cookie Handling

  • Frontend requests to protected routes should include withCredentials: true if using Axios or credentials: 'include' for fetch:
axios.get('https://api.yourdomain.com/user', { withCredentials: true })
// or
fetch('https://api.yourdomain.com/user', {
    credentials: 'include'
});

3. Set Up Nginx Properly to Forward Cookies

Check your Nginx config for these headers on the Laravel backend:

location / {
    proxy_pass http://your_laravel_container:80;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

4. CSRF Protection

  • Before making calls to /api/user, request the CSRF cookie (it sets XSRF-TOKEN). E.g.:
await axios.get('https://api.yourdomain.com/sanctum/csrf-cookie', { withCredentials: true });
  • Follow up with your login or other protected requests.

5. Laravel Middleware

api.php routes:

Route::middleware(['auth:sanctum'])->get('/user', function (Request $request) {
    return $request->user();
});
  • Ensure that api middleware group does NOT have StartSession. Sanctum handles this via its own middleware.

web.php routes: Should have web middleware for sanctum CSRF to work if you mount frontend on the same domain.

6. Check Logs Differently

  • If nothing shows in storage/logs/laravel.log, try running the container with php artisan serve and watch output for errors.
  • Also try docker logs <container_name>.

7. Common Gotchas

  • Mismatched domain setting: If SESSION_DOMAIN or SANCTUM_STATEFUL_DOMAINS don't match the origin, cookies won’t attach.
  • Session encryption: If cookies can’t be decrypted due to mismatched APP_KEY, you get 500 but sometimes no log. Rebuild Laravel container after changing .env!
  • Check for symlink issues: Sometimes session files or logs aren't writable inside Docker. chmod -R 777 storage bootstrap/cache to check.
  • Nginx buffer sizes: Rarely, large cookies can be blocked by proxy_buffer_size settings.

8. Debug Further

Add debugging code to see what’s breaking in middleware or controller:

// Inside a test route behind sanctum
Log::info('User:', [(auth()->user())]);
return response()->json(auth()->user());

Watch for log output. If this logs nothing/new error, it’s a session/cookie/auth issue.

Summary:
It’s nearly always a misconfigured session/cookie/CORS/CSRF issue in multi-container setups. Review every domain/cookie setting, double-check Nginx headers, and ensure cookies are being sent. Add temporary debugging logs to pinpoint the application breakage.

Let me know your SESSION, SANCTUM, and cookie-related settings if the problem persists!

jlrdw's avatar

You probably need your admin part is setup like a regular web app but the user API part is token based. Not knowing more about your app, that's my best guess.

InCo2025's avatar

Thank you for your answer. If futher information would help you, please let me know.

InCo2025's avatar

@jlrdw After some major debugging I could trace it back to my tenantScope which would result in an endless loop causing memory exhaustion. .

 */
public function apply(Builder $builder, Model $model): void
{
    if(auth()->check()){
        $builder->where('tenant_id', auth()->user()->tenant_id);
    }

}

Please or to participate in this conversation.