Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

martinszeltins's avatar

TokenMismatch - with multiple Laravel projects on one server

I noticed a strange behavior. I have multiple Laravel projects on one server. When I log into one project and then try to log into another project (different sub domains) I get a TokenMismatchException.

But when I have not logged in to any project and I try to log in then it works. What could be causing this? Any ideas?

in config/session.php I have this

'domain' => '.mydomain.com',
0 likes
4 replies
diegoaurino's avatar

Hello, @martinzeltin !

Are those Laravel "projects" sharing the same domain? In this case, I believe you need to use Redis driver instead of the default file session. Look for Redis sessions in the docs.

As I don't have any idea about how your web server is configured, it is hard to say if it is related to a wrong Apache configuration, for example. In some cases, you need to correctly use mod_rewrite to make it works well with Apache. I do not recommend you to edit your .htaccess to use RewriteBase. So, check it too.

Make sure the APP_NAME is properly set for each "project" because the SESSION_COOKIE will rely on this.

Also, check the following in the config/session.php:

/*
    |--------------------------------------------------------------------------
    | Session Cookie Path
    |--------------------------------------------------------------------------
    |
    | The session cookie path determines the path for which the cookie will
    | be regarded as available. Typically, this will be the root path of
    | your application but you are free to change this when necessary.
    |
    */

Hope this helps. Let me know.

martinszeltins's avatar

I changed the APP_NAME for each project but that didn't help.

I have an Apache server. The SESSION_DRIVER is set to file. Also these Laravel projects share the same domain with one.domain.com two.domain.com three.domain.com etc.

Snapey's avatar

because you specified the domain for the session, they all think they are part of the same application, and so present invalid cookie each time you switch domains.

Removing the domain in config/session should help. Alternatively, give each project a different domain or just resort to clearing cookies each time.

martinszeltins's avatar

The reason I specified the domain was because I have one Laravel project that is spread across multiple subcomains that should share the same authentification across all subdomains.

Laravel1 project routes:

forum.ultimategaming.com
blog.ultimategaming.com

Laravel2 project routes:

laravel2.ultimategaming.com

I only specified session domain for Laravel1 project.

Please or to participate in this conversation.