Mar 26, 2026

Level 4

Issue with Laravel 12 on IONOS hosting - no cookies

I have two apps running on the same server behind a Webscale proxy (Apache). A Laravel 11 app works correctly, returning a proper 302 with session cookies. My new Laravel 12 app returns 200 OK with no cookies and no Location header — just the Symfony HTML redirect fallback body.

The redirect itself is correct (the Microsoft OAuth URL is properly generated), but the response code and headers are wrong.

Controller

public function redirectToProvider()
{
    return Socialite::driver('microsoft')->redirect();
}

Route

Route::middleware('guest')->group(function () {
    Route::get('/login/ms', [LoginController::class, 'redirectToProvider'])->name('msauth');
});

bootstrap/app.php

return Application::configure(basePath: dirname(__DIR__))
    ->withRouting(
        web: __DIR__.'/../routes/web.php',
        commands: __DIR__.'/../routes/console.php',
        health: '/up',
    )
    ->withMiddleware(function (Middleware $middleware): void {
        $middleware->trustProxies(at: '*');
    })
    ->withExceptions(function (Exceptions $exceptions): void {
        //
    })->create();

CURL comparison

**Laravel 12 (`mynewable.newable.dev`):** ``` HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-WS-Origin: available Server: Apache ``` No cookies. No `Location` header. No `Cache-Control`.

**Laravel 11 (`mynewable.co.uk`) — same server, same proxy:** ``` HTTP/1.1 302 Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, private Set-Cookie: XSRF-TOKEN=... Set-Cookie: mynewable_session=... Location: https://login.microsoftonline.com/... Strict-Transport-Security: ... X-XSS-Protection: ...

What I've ruled out

Not a caching issue — happens on fresh requests with no prior cache
Not a routing issue — php artisan route:list shows the correct controller method
Not a code issue — works perfectly in local Laragon environment
Not a proxy issue — the L11 app on the same server behind the same proxy works fine
TrustProxies — already set to * in bootstrap/app.php
bootstrap/app.php — completely default, nothing custom added
All caches cleared — php artisan optimize:clear run before every test

The missing response headers on the L12 app (no Cache-Control, no cookies, no security headers) suggest Laravel isn't completing the response pipeline properly, but I can't find why.

Has anyone seen this behaviour with Laravel 12 behind a reverse proxy, and is there something in the new middleware/kernel structure that needs explicit configuration that Laravel 11 handled automatically?

LaryAI

1 month ago

Level 58

Absolutely, this is a great analysis and you've diagnosed things thoroughly. Given the difference in behavior between Laravel 11 and 12—especially receiving a Symfony HTML redirect fallback instead of a proper 302—and that it works locally but not on IONOS hosting, the problem almost certainly relates to Laravel 12's new HTTP Kernel and Middleware handling.

Understanding Laravel 12 HTTP Pipeline Changes

Laravel 12's new HTTP kernel means web middleware is not registered globally by default:
You MUST explicitly wrap routes in the web middleware.

In Laravel 11, the web middleware group (which sets up session, cookies, CSRF, encrypt cookies, etc.) was always applied to routes/web.php.
In Laravel 12, if you use withRouting(web: ...) in bootstrap/app.php, it does not automatically apply the web middleware stack—unless you specifically do so.

Most Likely Cause

Your route group only has the guest middleware.
It does NOT have the web middleware group!
Therefore, cookies are not started, sessions are not used, and headers like Set-Cookie, Cache-Control, and so on are missing.

Solution

1. Make sure your route is inside the `web` middleware group

In Laravel 12, you need:

Route::middleware('web')->group(function () {
    Route::middleware('guest')->group(function () {
        Route::get('/login/ms', [LoginController::class, 'redirectToProvider'])->name('msauth');
    });
});

Or more simply:

Route::middleware(['web', 'guest'])->group(function () {
    Route::get('/login/ms', [LoginController::class, 'redirectToProvider'])->name('msauth');
});

2. Or, wrap your entire `routes/web.php` in `Route::middleware('web')`

Route::middleware('web')->group(function () {
    // ...your entire routes/web.php contents...
});

3. Check Session/Cookie Configs if You've Changed Domains

Ensure your .env matches domain/cookie settings for the new laravel12 environment (SESSION_DOMAIN, SESSION_SECURE_COOKIE, etc), but this doesn't usually cause a missing header—just a missing cookie value.

Summary

Laravel 12 does NOT automatically apply web middleware to web routes. You must add it explicitly!

References

TL;DR

Update your routes/web.php like this:

Route::middleware(['web', 'guest'])->group(function () {
    Route::get('/login/ms', [LoginController::class, 'redirectToProvider'])->name('msauth');
});

This will restore sessions, cookies, proper headers, and correct 302 redirect behavior in Laravel 12.

vincent15000

2 weeks ago

Level 63

I have a website with Laravel 12 using Socialite on IONOS and it works perfectly.

Have you solved your issue ? Or do you still need help ?

Is it a full Laravel application or do you use any JS frontend ?

Have you thought about checking you environment variables ?

Please or to participate in this conversation.