You can create a session table if needed, it doesn't have to be bundled.
NativePHP mobile — session/token lost on redirect after login (bounces back to login, then 419)
Environment
nativephp/mobile v3 Laravel 12, PHP 8.4 Local DB: SQLite SESSION_DRIVER=file, SESSION_ENCRYPT=false, SESSION_DOMAIN=null, APP_URL=http://localhost:8000
What I'm building The mobile app is a thin client. It posts credentials to a remote Laravel API (Sanctum) which returns a token, stores that token in the local session, and redirects to a /dashboard route guarded by a small middleware that checks the session. What works
Entering a wrong password correctly shows the validation/error message (so CSRF and the session survive that POST → redirect-back cycle). Hitting the remote API directly with curl returns 200 and a token, so the backend is fine.
The problem
Entering the correct password appears to do nothing — I end up back on the login screen instead of the dashboard. Pressing the login button again then returns 419 Page Expired.
So a successful login stores the token but the /dashboard request doesn't see it and the middleware bounces me back. Routes
Route::get('/', fn () => session()->has('api_token')
? redirect()->route('dashboard')
: view('welcome'))->name('login');
Route::post('login', [AuthenticatedSessionController::class, 'store'])->name('login.attempt');
Route::get('dashboard', [DashboardController::class, 'show'])->middleware('api.token')->name('dashboard');
Login controller (success branch)
$request->session()->put([
'api_token' => $result['data']['token'],
'api_user' => $result['data']['user'] ?? [],
'api_company' => $result['data']['company'] ?? [],
]);
return redirect()->route('dashboard', absolute: false);
Middleware
public function handle(Request $request, Closure $next): Response
{
if (! $request->session()->has('api_token')) {
return redirect()->route('login'); // <-- this is what fires
}
return $next($request);
}
What I've already tried
Switched SESSION_DRIVER from database → file (the sessions table doesn't exist in the bundled SQLite; database sessions gave 419). Set QUEUE_CONNECTION=sync and CACHE_STORE=file for the same reason. Removed $request->session()->regenerate() from the login handler (thinking the rotated cookie wasn't carried onto the redirect). php artisan config:clear / optimize:clear and rebuilt the app.
It still bounces back to login on a correct password. Question It looks like the session cookie set on the login POST response isn't being sent on the subsequent /dashboard GET inside the NativePHP webview, so the freshly-stored api_token isn't there. Is there a known issue with session cookies persisting across redirects in the NativePHP mobile webview, and what's the recommended way to keep an auth token across requests? Should I avoid server sessions entirely and store the token another way?
Please or to participate in this conversation.