Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

hackcharms's avatar

Session expire on recieving POST request from other Domain.

I'm working on a project in which for transactions using VoguePay, integrating by the server to server API method.

page link : https://voguepay.com/documentation#section-two

After completing payment when redirect on success_url(on my website) session get expired.

At starting I thought maybe redirection from http to https is the reasion so for that I created two laravel applications let's say laravel1 & laravel2. Now from laravel redirect on laravel2, and on laravel two created a form that send a post request to laravel1 , when I send a post request to laravel1 session expired again.

In short : whenever a post request receive from the outer domain session get expired.

Things I have done :- excluded that rout from VerifyCsrfToken middleware , Tried by toggling with

   'domain' => env('SESSION_DOMAIN', null),
   'expire_on_close' => false  , ``` 

in session configuration file (config->Session.php).
Tried by storing sessions in table , nothing worked.
0 likes
3 replies
automica's avatar

This will be because laravel is expecting a csrf token in a post and it won’t be present in the request from your externals url's post request.

To get round this you can exclude the remote url from being checked for a token.


namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;

class VerifyCsrfToken extends Middleware
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        'stripe/*',
        'http://example.com/foo/bar',
        'http://example.com/foo/*',
    ];
}

https://laravel.com/docs/8.x/csrf#csrf-excluding-uris

1 like
hackcharms's avatar

Thanks @automica for your response ,

I have already excluded that route from VerifyCsrfToken middleware , As for as I know problem arises without csrf token is page get expire not session , If page get expire then login user will still authenticated but in session case it will be logged out.

Please or to participate in this conversation.