Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi. After deploying a Laravel/VueJS (5.7) application on a production server, the login and registration attempts fail immediately with a "session has expired" error (419). I've used Laravel Passport for authentication. Everything is working correctly on the development server. Any idea on the origin of the problem?
see session.php in conf file! if you using https you should disable http_only!if you dont have table for storing session change the driver to file! see storage/framework/sessions after try for login or register and control that new file has been created or not!
Is your APP_KEY set in your .env file? If not run:
php artisan key:generate and try again
Thanks for your reply. http_only was already disabled. Sessions are stored as files and they exist under storage/framework/sessions. After removing them and trying to login or to register a new user, I still have the same error.
@REALRANDYALLEN - Thanks for your reply Randy. New keys were generated after deployment and they're present in the .env file. I'm using the file driver and the session files are well generated after a login or a registration. The 419 error is displayed immediately after a login or a registration.
@MONTY75 - Hrm, this is usually a CSRF token issue but since you've deployed it to production I'm assuming it worked locally so that shouldn't be an issue...but you could always temporarily disable CSRF protection and test just to eliminate it as an issue
in app/http/Kernel.php just comment out
\App\Http\Middleware\VerifyCsrfToken::class,
@REALRANDYALLEN - Commenting that line solved the problem Andy, thank you. Is it a Laravel bug or could the problem come from axios? This problem is also mentioned here https://github.com/laravel/passport/issues/539 .
@MONTY75 - I'm glad it fixed it; however, you really need to uncomment that line and leave it on or you've introduced a security hole in your system. I only suggested to comment it out temporally in order to prove it was the issue...but:
Are you properly adding the CSRF token to all your forms?
<form method="POST" action="/profile">
{{ csrf_field() }}
...
</form>
@REALRANDYALLEN - @csrf are present in all my forms. I've installed barryvdh/laravel-cors to send CORS headers but it didn't solve the problem. Maybe the problem is coming from axios or vue-axios, not Laravel.
@MONTY75 - Are you sending your token in the payload as well when you post via axios in your Vue components?
@REALRANDYALLEN - Yes I do. In bootsrap.js I have let token = document.head.querySelector('meta[name="csrf-token"]');
if (token) { window.axios.defaults.headers.common['X-CSRF-TOKEN'] = token.content; } else { console.error('CSRF token not found: https://laravel.com/docs/csrf#csrf-x-csrf-token'); }
I have took my friend .env file then pasted and were struggling for two days for this issue i have generated a new KEY but still showing the same problem
try clear cookies
If you guys met this expired issue it's not about the key only, it's about the env file, check your cache, key, and host
some cases ... CACHE_DRIVER= SESSION_DRIVER=file QUEUE_DRIVER=sync ...
should be =file, not null
hope this help
For me, deleting session_domain from .env solved the issue
I encountered the same problem and I realised that it is caused by having an active session in the Local instance while trying to login to the Live instance. Try logging out the localhost instance.
Remember then work in local without SSL you want to have unset SESSION_SECURE_COOKIE in .env
Please or to participate in this conversation.