Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

aarontharker's avatar

User getting 401 error doing XHR updates

I have a user getting a 401 error from sanctum during XHR updates. The user's account works fine when I log in on my machine, so it must be something local on their machine. I just have no idea what may be causing the issue. If I check the application section of their browser's dev console it shows the session and xsrf tokens as being there and correct.

Does anyone have any other ideas what may be causing this sort of behaviour?

0 likes
5 replies
LaryAI's avatar
LaryAI
AI
1 year ago
Level 58

It sounds like the issue might be related to how the CSRF (Cross-Site Request Forgery) token is being handled or sent in the XHR requests from the user's browser. Here are a few things you can check and try to resolve the 401 error:

  1. Ensure CSRF Token is Sent in Headers: Make sure that the CSRF token is properly included in the headers of your XHR requests. Laravel Sanctum requires the XSRF-TOKEN cookie to be sent as a header in AJAX requests.

    You can manually add this to your headers in your JavaScript code like this:

    axios.defaults.headers.common['X-XSRF-TOKEN'] = document.cookie.split('; ')
  .find(row => row.startsWith('XSRF-TOKEN='))
  ?.split('=')[1];

  2. Check for Same-Site Cookie Issues: If the user is accessing your site from a different site (like clicking a link from an email or another domain), the browser might block the cookie due to Same-Site policy. Ensure your cookies are set with SameSite=None; Secure if they need to be accessed in a cross-site context.

  3. Verify Cookie Path and Domain: Ensure that the cookies (session and XSRF-TOKEN) are set for the correct path and domain. Misconfiguration here can lead to browsers not sending these cookies.

  4. Clear Browser Cookies and Cache: Sometimes, stale or corrupted cookies and cache can cause issues. Ask the user to clear their browser cookies and cache to see if that resolves the issue.

  5. Check CORS Configuration: If your API and frontend are served from different origins, ensure that your CORS (Cross-Origin Resource Sharing) settings are correctly configured to allow requests from the frontend domain.

  6. Session Configuration: Verify that the session configuration in your config/session.php file in Laravel is set up correctly. Pay attention to the domain and secure options.

  7. Debugging with Network Tab: Ask the user to check the Network tab in the browser's developer tools to see the request headers and responses. Look for any discrepancies in what's being sent or received.

Here's a quick example of how you might configure CORS in Laravel if needed:

// In config/cors.php

return [
    'paths' => ['api/*'],
    'allowed_methods' => ['*'],
    'allowed_origins' => ['http://example.com'],
    'allowed_origins_patterns' => [],
    'allowed_headers' => ['*'],
    'exposed_headers' => [],
    'max_age' => 0,
    'supports_credentials' => true,
];

By following these steps, you should be able to diagnose and potentially fix the issue causing the 401 errors during XHR updates with Laravel Sanctum.

aarontharker's avatar

there are also no other transport errors when loading the page just 401s whenever they try to send an XHR update to the server.

aarontharker's avatar

Same-site is not the issues as everything is taking place within the same domain. Cors is properly configured and works for all other users fine. Cookie domain is correct and path is set as /, so I'm assuming that will work fine for all subdirectories Session details are the the default and seem ok.

Snapey's avatar

if they block cookies this could happen

Are they logging in ok? The transactions that 401 are they within 2 hours of logging in?

aarontharker's avatar

yeah, they log in fine and can navigate through all the pages (requiring authorization), it is only the XHR requests that are having issues. Also, I can see the cookies in their browser's application store.

Please or to participate in this conversation.