Randy_Johnson's avatar

NativePHP mobile — session/token lost on redirect after login (bounces back to login, then 419)

Environment

nativephp/mobile v3 Laravel 12, PHP 8.4 Local DB: SQLite SESSION_DRIVER=file, SESSION_ENCRYPT=false, SESSION_DOMAIN=null, APP_URL=http://localhost:8000

What I'm building The mobile app is a thin client. It posts credentials to a remote Laravel API (Sanctum) which returns a token, stores that token in the local session, and redirects to a /dashboard route guarded by a small middleware that checks the session. What works

Entering a wrong password correctly shows the validation/error message (so CSRF and the session survive that POST → redirect-back cycle). Hitting the remote API directly with curl returns 200 and a token, so the backend is fine.

The problem

Entering the correct password appears to do nothing — I end up back on the login screen instead of the dashboard. Pressing the login button again then returns 419 Page Expired.

So a successful login stores the token but the /dashboard request doesn't see it and the middleware bounces me back. Routes

Route::get('/', fn () => session()->has('api_token')
    ? redirect()->route('dashboard')
    : view('welcome'))->name('login');

Route::post('login', [AuthenticatedSessionController::class, 'store'])->name('login.attempt');
Route::get('dashboard', [DashboardController::class, 'show'])->middleware('api.token')->name('dashboard');

Login controller (success branch)

$request->session()->put([
    'api_token'   => $result['data']['token'],
    'api_user'    => $result['data']['user'] ?? [],
    'api_company' => $result['data']['company'] ?? [],
]);

return redirect()->route('dashboard', absolute: false);

Middleware

public function handle(Request $request, Closure $next): Response
{
    if (! $request->session()->has('api_token')) {
        return redirect()->route('login'); // <-- this is what fires
    }
    return $next($request);
}

What I've already tried

Switched SESSION_DRIVER from database → file (the sessions table doesn't exist in the bundled SQLite; database sessions gave 419). Set QUEUE_CONNECTION=sync and CACHE_STORE=file for the same reason. Removed $request->session()->regenerate() from the login handler (thinking the rotated cookie wasn't carried onto the redirect). php artisan config:clear / optimize:clear and rebuilt the app.

It still bounces back to login on a correct password. Question It looks like the session cookie set on the login POST response isn't being sent on the subsequent /dashboard GET inside the NativePHP webview, so the freshly-stored api_token isn't there. Is there a known issue with session cookies persisting across redirects in the NativePHP mobile webview, and what's the recommended way to keep an auth token across requests? Should I avoid server sessions entirely and store the token another way?

0 likes
1 reply
jlrdw's avatar

You can create a session table if needed, it doesn't have to be bundled.

Please or to participate in this conversation.