php - Laravel Sanctum CSRF Token Cookies Invalid Domain with Multi-tenant SPA Setup - Stack Overflow

admin管理员组

文章数量:1122846

Issue

I'm building a SPA that needs to authenticate with a Laravel back-end using Sanctum. I'm using the stancl/tenancy package for multi-tenancy, where each tenant has their own subdomain. However, when trying to get the CSRF cookie, I'm receiving "Cookie rejected for invalid domain" errors.

Setup

• SPA running on localhost:5500
• Laravel API with tenant on foo.localhost:8000 (using stancl/tenancy package)
• Using Laravel Sanctum for authentication

Environment Configuration

SESSION_DOMAIN=.localhost
SANCTUM_STATEFUL_DOMAINS=localhost:5500

Error Messages

When calling the /sanctum/csrf-cookie endpoint, I get these errors in the browser console:

Cookie “XSRF-TOKEN” has been rejected for invalid domain.
Cookie “appName_session” has been rejected for invalid domain.
Cookie “iYsowm5ibM4hJnHPEkQ8byJiJqqjr1IvSpFsV8P7” has been rejected for invalid domain.

Code

Here's how I'm making the request:

axios.defaults.withCredentials = true;
axios.defaults.withXSRFToken = true;

var baseUrl = ':8000';

axios.get(`${baseUrl}/sanctum/csrf-cookie`, {
    headers: {
         'Accept': 'application/json' 
    }
})
.then((response) => {
    console.log(response); 
})
.catch(error => {
    console.error('Failed to set CSRF cookie:', error);
});

Question

How can I properly configure Laravel Sanctum cookies to work with a SPA on localhost:5500 when the API is on a tenant subdomain (foo.localhost:8000) using the stancl/tenancy package?

Additional Information

• Laravel version: 11.x
• stancl/tenancy version: 3.x
• Running everything locally for development

What I've Tried

• Setting different SESSION_DOMAIN values
• Configuring CORS in config/cors.php
• Ensuring credentials are included in the fetch request

but I still got the above browser console errors

本文标签： phpLaravel Sanctum CSRF Token Cookies Invalid Domain with Multitenant SPA SetupStack Overflow