Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

samehdev's avatar

set-cookie xsrf-token laravel not working on whm/cpanel

laravel : 8

php : 8.0

Unmanaged VPS Hosting with whm/cpanel

The application does not set-cookie xsrf-token on headers

The same application and settings work on another server

Is there any setting I should do in whm or cpanel ?

session.php

 'encrypt' => false,
 'path' => '/',
 'domain' => env('SESSION_DOMAIN', null),
 'secure' => env('SESSION_SECURE_COOKIE',false),
 'http_only' => true,
 'same_site' => 'none',

response headers

HTTP/1.1 200 OK
Date: Thu, 09 Jun 2022 11:14:06 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

request headers

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en,ar;q=0.9,en-US;q=0.8
Cache-Control: no-cache
Connection: keep-alive
Cookie: __stripe_mid=a9495657-8584-49af-9e18-ec5abc1c439db70553; __stripe_sid=9df921fb-f2dc-4f71-94d4-26f014a537063d4ba3; TestCookie=hie
Host: admin.ikramikram.com
Pragma: no-cache
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33

.htaccess

AddType image/webp .webp

<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews -Indexes
</IfModule>

RewriteEngine On

# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]

# Send Requests To Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]

RewriteCond %{HTTP_ACCEPT} image/webp
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME}.webp -f
RewriteRule ^/?(.+?)\.(jpe?g|png)$ /..webp [NC,T=image/webp,E=EXISTING:1,E=ADDVARY:1,L]


<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
Header always edit Set-Cookie: (.*) ", httponly"
Header set X-Content-Type-Options nosniff
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
 
<FilesMatch "(?i)\.(jpe?g|png)$">
Header append "Vary" "Accept"
</FilesMatch>
</IfModule>
</IfModule>

Options -Indexes
<Files ~ "\.(env|json|config.js|md|gitignore|gitattributes|lock)$">
Order allow,deny
Deny from all
</Files>
<Files ~ "(artisan)$">
Order allow,deny
Deny from all
</Files>

<IfModule mod_headers.c>
# WEEK
<FilesMatch "\.(jpg|jpeg|png|gif|swf)$">
Header set Cache-Control "max-age=31536000, public"
</FilesMatch>

# WEEK
<FilesMatch "\.(js|css|swf)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>

</IfModule>

<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
</IfModule>

<IfModule mime_module>
  AddHandler application/x-httpd-ea-php80 .php .php8 .phtml
</IfModule>

<IfModule php8_module>
   php_flag display_errors On
   php_value max_execution_time 6000
   php_value max_input_time 6000
   php_value max_input_vars 10000
   php_value memory_limit -1
   php_value post_max_size 5120M
   php_value session.gc_maxlifetime 1440
   php_value session.save_path "/var/cpanel/php/sessions/ea-php80"
   php_value upload_max_filesize 1000M
   php_flag zlib.output_compression On
</IfModule>
<IfModule lsapi_module>
   php_flag display_errors On
   php_value max_execution_time 6000
   php_value max_input_time 6000
   php_value max_input_vars 10000
   php_value memory_limit -1
   php_value post_max_size 5120M
   php_value session.gc_maxlifetime 1440
   php_value session.save_path "/var/cpanel/php/sessions/ea-php80"
   php_value upload_max_filesize 1000M
   php_flag zlib.output_compression On
</IfModule>
# END cPanel-generated php ini directives, do not edit
0 likes
1 reply
samehdev's avatar
samehdev
OP
3 years ago
Best Answer
Level 2

solution: whm / Service Configuration / Service Manager

enable & Monitor PHP-FPM service for cPanel Daemons

Please or to participate in this conversation.