Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
let me give you a brief of what i am trying to achieve here ->
i am making an api for a 3 step form.... what i am doing is in each step i am saving the data in session. and plan to create the record in the final step.
function orderInfo(CreateOrderInfoRequest $request)
{
Session::put('order_info', $request->validated());
return $this->apiResponse(true,'Data Saved Successfully!',200,[]);
}
function departure(CreateDepartureRequest $request)
{
Session::put('departure_info', $request->validated());
return $this->apiResponse(true,'Data Saved Successfully!',200,[]);
}
now if i print the session data in the same controller in the same api request. it works. However if i try to get the session data in another controller like..
function request(CreateServiceRequest $request)
{
$data = Session::get('order_info', 'No order information found');
return $data;
$data = $this->formatService->formatData($request->validated());
}
it is not working.
i read some content online they said to put the api's under "web" middleware but then it give CSRF mis match error.
My routes are as follows
<?php
use App\Http\Controllers\Api\User\MovingServiceController;
use Illuminate\Support\Facades\Route;
Route::middleware(['auth:sanctum'])->prefix('user/service')->group(function () {
Route::post('order-info', [MovingServiceController::class, 'orderInfo']);
Route::post('departure', [MovingServiceController::class, 'departure']);
Route::post('request', [MovingServiceController::class, 'request']);
});
?>
<?php
use App\Http\Middleware\Admin;
use App\Http\Middleware\User;
use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;
use Illuminate\Support\Facades\Route;
return Application::configure(basePath: dirname(__DIR__))
->withRouting(
commands: __DIR__.'/../routes/console.php',
using: function () {
Route::middleware('web')
->group(base_path('routes/web.php'));
Route::prefix('api/v1')
->group(base_path('routes/v1/api.php'));
},
)
->withMiddleware(function (Middleware $middleware) {
$middleware->alias([
'admin' => Admin::class,
'user' => User::class,
'role' => \Spatie\Permission\Middleware\RoleMiddleware::class,
'permission' => \Spatie\Permission\Middleware\PermissionMiddleware::class,
'role_or_permission' => \Spatie\Permission\Middleware\RoleOrPermissionMiddleware::class,
]);
})
->withExceptions(function (Exceptions $exceptions) {
$exceptions->renderable(function (\Spatie\Permission\Exceptions\UnauthorizedException $e)
{
return response()->json([
'success' => false,
'message' => "You don't have the appropriate role or permission",
'status' => 403,
],403);
});
})->create();
Session will not work in API. API are stateless. If you really want to use session in API. You need to enable Session Middleware in Your API Routes. It is not a good practice to use session in API.
for example
Route::middleware(['api', 'web'])->group(function () {
// your api routes
});
@shariff still not working if i use web then i give's me csrf mismatch
i read some content online they said to put the api's under "web" middleware but then it give CSRF mis match error.
That is the correct solution if you want to use sessions.
Are you sending a CSRF token when you're making the API call? Do you know what CSRF is?
Show how you're sending the API request.
@JussiMannisto yes i am aware of csrf but i have never passed it though API's... the route is protected i am only sending access token
@sarfaraz1212 You need to send the CSFR token. You can send it in a header named X-CSRF-TOKEN header or parameter named _token.
Usually you don't have to add it manually because you can automate it. But I don't know how you're sending the API requests.
@sarfaraz1212 you can add api/* pattern in your verifycsrf middleware to bypass csrf token for all the apis route.
App\Http\Middleware\VerifyCsrfToken
protected $except = [
'api/*',
];
First, you need to understand what an API is.
Who will use that API?
If it’s JavaScript on a different domain or a different backend, you can’t use sessions in the first place.
You should be able to do this using sanctum. Have you applied this middleware?
->withMiddleware(function (Middleware $middleware) {
$middleware->statefulApi();
})
Your user model will also need the HasApiTokens trait.
I don't know what your dev setup is like, but you may need to specify SANCTUM_STATEFUL_DOMAINS in your .env. Check the sanctum config file to make sure it will allow requests from your domain.
What's the problem you're trying to fix that needs to use sessions in a stateless API?
@jaseofspades88 Their problem was that they were getting a CSRF error when the route was in web.php. And that's because they aren't sending a CSRF token in the request. So... not the right fix.
If this is an online store, you need a web app, not an API. That's my suggestion.
Please or to participate in this conversation.