if you remove the restriction on session domain?

Hi Snapey,

if I do that I get 419 | Page Expired every time.

SESSION_DRIVER=database
#SESSION_DOMAIN=.example.test

 php artisan config:clear

Login again...

419 | Page Expired

Then I clear the cookie and instead I get same issue

Always redirect to login screen

If I use

SESSION_DRIVER=file

It works.

I has something to do with setting it to

SESSION_DRIVER=database

That is causing this issue.

You do get a cookie?

Yes, every time. But the cookie value is always changing. So it is not cookie related directly because the cookie is changing no matter what setting I use for SESSION_DRIVER?

Here is the config/session.php

<?php

use Illuminate\Support\Str;

return [

    'driver' => env('SESSION_DRIVER', 'database'),

    'lifetime' => env('SESSION_LIFETIME', 120),

    'expire_on_close' => false,

    'encrypt' => false,

    'files' => storage_path('framework/sessions'),

    'connection' => env('SESSION_CONNECTION', null),

    'table' => 'sessions',

    'store' => env('SESSION_STORE', null),

    'lottery' => [2, 100],

    'cookie' => env(
        'SESSION_COOKIE',
        Str::slug(env('APP_NAME', 'laravel'), '_').'_session'
    ),

    'path' => '/',

    'domain' => '.example.test',

    'secure' => env('SESSION_SECURE_COOKIE', false),

    'http_only' => false,

    'same_site' => 'lax',

];

If that helps

I can think of a reason it would not work, but this would apply equally to database or file. The fact that it works with one and not the other is puzzling

When using the database:

the sessions table's: user_id field is NULL. Could that help with resolving the problem?

user_id will only be populated if logged in. You have sessions for guests also.

Does anybody have any suggestions that I can try?

Here is an example of the sessions table

id user_id ip_address user_agent payload last_activity

id: 2eYD4PETxCuk4c75vdSCUUPOgxcwNcJRCuUTV4w0 user_id: NULL ip_address: 172.21.0.1 user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) Ap... payload: YToyOntzOjY6Il90b2tlbiI7czo0MDoiNGp2ZmEwRzcyM01iNE... last_activity: 1604584556

Nothing looks out of the ordinary, but for some reason it does not keep the session open... it closes right after login. Is there any reason that could happen?

Any files I can check to see where the behavior is coming from?

I am using Laravel 5.8.

Thanks

Desperately trying to get database sessions working @snapey @jeffery.

Hi @snapey @jeffery,

I decided to turn on APP_DEBUG=true and the debugger bar shows:

CSRF token mismatch. /var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php

Hi @snapey, @jeffery, everyone,

Further Investigation

First Request:

Chrome Inspect Element

View Image Full Size

Debug Bar

View Image Full Size

Second Request:

Chrome Inspect Element

View Image Full Size

Debug Bar

View Image Full Size

Database (sessions table)

View Image Full Size

So it seems like the session is not keeping. Hope this can help anyone in trying help me troubleshoot this :)

I have updated my last post to make it user friendly, more viewable. If you click the View Image Full Size it will load the image in another tab for convenience so you can see it at full size :)

How about this?

    /**
     * Determine if the session and input CSRF tokens match.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return bool
     */
    protected function tokensMatch($request)
    {
        $token = $this->getTokenFromRequest($request);

        dnd([
            __METHOD__,
            '$request->session()->all()' => $request->session()->all(),
            '$request->session()->token()' => $request->session()->token(),
            '$request->session()->getAttributes()' => $request->session()->getAttributes(),
            '$request->session()->getVar()' => $request->session()->getVar('_token'),
            '$request->session()->token()' => $token,
            'is_string($request->session()->token())' => is_string($request->session()->token()),
            'is_string($token)' => is_string($token),
        ]);

        return is_string($request->session()->token()) &&
               is_string($token) &&
               hash_equals($request->session()->token(), $token);
    }

output of dnd (same as dd but does not die)

To Store.php I added:

    /**
     * @return array
     */
    public function getAttributes() {
        return $this->attributes;
    }

    /**
     * @param $key
     * @return mixed
     */
    public function getVar($key) {
        if (isset($this->attributes[$key])) {
            return $this->attributes[$key];
        }
    }

• When I run getVar('_token') I get _token
• When I run getAttributes() I get the _token
• When $request->session()->token() runs it returns null.

here is public function token

    /**
     * Get the CSRF token value.
     *
     * @return string
     */
    public function token()
    {
        return $this->get('_token');
    }

    /**
     * Get an item from the session.
     *
     * @param  string  $key
     * @param  mixed  $default
     * @return mixed
     */
    public function get($key, $default = null)
    {
        return Arr::get($this->attributes, $key, $default);
    }

But you are sure it all works fine if you use file based session management?

Hi @snapey yes

SESSION_DRIVER=file

Works.

And @snapey the tokens don't match. I think because it uses file it does not care about if the tokens match or not?

The process is the same I think for both file and database. Csrf is secondary consideration to session maintenance since it uses session to remember the csrf token. No session reliability then csrf will never work.

Hi @snapey

Here is something interesting

in my blade template I have

<meta name="csrf-token" content="7Oo2Ks3DuoBSdEruffYJeL3Z8mPk6yKtEMDj03DH">

in the login form:

<input type="hidden" name="_token" value="7Oo2Ks3DuoBSdEruffYJeL3Z8mPk6yKtEMDj03DH">

both on same page. After login It can load but one page of any kind (that requires login) and then the token do not match again. The database session driver is using the cookie value for checking if session is valid. You can see that in the previous posts.

To test the theory above, with the blade template, I made the redirect on login go to a page that does not exist. Then I manually go to that url and it loads the page. I then reload the page or go to another URL it will log me out due to a change in session.

You are right, it is not related to CSRF token as I disabled the Middleware and it still works the same. So then it really does have something to do with the database session.

Okay, so I could not ever get Database sessions and I don't know why... moving on....