Laravel Session always changes every refresh / request in Laravel 5.4

Question

So the title basically says it all, I am using Laravel 5.4, PHP 7.1 and on my local machine sessions are working just fine. Essentially when trying to login or reloading the page every time I get a new CSRF token which breaks everything. I am using database as my session driver and it creates a new entry into the DB every single request I make. This happened on my local machine when I first upgraded but to fix it the solution was to update my cookie_domain env variable and I got it working. However on my new server I have tried every domain I could think of and it still does not work.

Here is what I know,

• Session cookie is not being saved under Chrome -> Application -> Cookies, this is indeed showing up on my local setup.

• CSRF-TOKEN gets a new value every page reload but the XSRF-TOKEN cookie is present and maintains its value on every reload.

• Both local and my new server are running the exact same git branch, and are both running apache 2.4, Laravel 5.4 and PHP 7.1 so this makes me assume it is a config issue of some kind. Both local and server are running centos 7

• Every request creates a new session in the DB, this happens for get, post and ajax requests.

I assume this is a config issue from somewhere but I have no idea, any help would be greatly appreciated. If it helps, looking under my response Headers for my initial page load both sid and the laravel session are present under the 'Set-Cookie" command, but neither actually save to the local application cookie storage.

Edit / Update So originally I answered my own question by saying what I thought was the fix, however this fix is no longer working and I am getting this issue all over the place. So to update my issue is the same as before, trying to do anything creates a new session, reloading and navigating a few pages adds dozens of sessions due to ajax requests and other such activity.

My setup now is this, I have 3 servers all three are running off of a cloned image which means they are identical, however one of them is a subdomain, development.mysite.com and the other 2 are load balanced for the main site mysite.com. So the ONLY possible explanation I can come up with is that somehow laravel cannot understand my setup due to my subdomain. I have tried every possible combination of COOKIE_DOMAIN in the .env file (development.mysite.com, .mysite.com, mysite.com, .development.mysite.com etc) and I have added dozens of options to my host all to no avail. Any ideas as to what this could be?

**Edit / Update #2 ** In addition to this I have found that it might be related to my domain in use being a subdomain, in which the main domain is also running laravel, if so I will have to figure out how and why.

Answer 1

For us, the cause of this was Carbon::setTestNow() function incorrectly used in the AppServiceProvider.php which caused all of the sessions to be expired right after creation. Try to disable that if you use it somewhere. Hope this helps.

Answer 2

We got through this error too, and this is what seems to fix the problem :

• Check that your storage/ folder have the correct right

• Try to disable all the JavaScript in your pages (either by disabling it via navigator or inside the code) and make sure that 'http_only' => true,

• Try to use with and without HTTPS

• Make sure the SESSION_DRIVER variable is NOT null

• Try to switch between 'encrypt' => false, and 'encrypt' => true,

• Try to change the cookie name 'cookie' => 'laravelsession',

• Try either to set your SESSION_DOMAIN to your actual domain OR null

• Try to switch between 'secure' => env('SESSION_SECURE_COOKIE', false), and 'secure' => env('SESSION_SECURE_COOKIE', true),

After every step, this bug seems to be fixed, but somehow, the cookie still is not set in the navigator sometime until we use HTTPS on development too.

I am sorry not to be able to provide a 100% fix, but having the EXACT same issue, I wanted to share my experience with you.

Answer 3

I was also facing the similar problem in Laravel 5.6. My application was working and and never had issues regarding authentication. Suddenly I got a "419 | page is expired" error and the CSRF token was being generated with every single refresh.

Finally I figured out that the browser had blocked the cookies set by the application. I still had not found a permanent fix but allowing or deleting those blocked cookies temporarily solved the issue.

I have nothing changed in my config/sessions.php* configuration file and the application works fine in local server.

Answer 4

Disable nginx cache if you use it. For me it solved the same problem.

Answer 5

I found the solution to this was 2 parts, not sure why it varied since it was the same OS and setup.

Step 1 make sure that COOKIE_DOMAIN is set properly and with no port numbers (Either in .env or directly in /config/session.php, whichever you use)

Step 2 make sure that the cookie name ( 'cookie' => 'whatever') inside of /config/sessions.php does NOT have an underscore in it. Laravel apparently has had issues with this.

Answer 6

Primary cause of this problem is laravel's inability to save session data on server side.

With file as session storage, it can be & usually is a permissions issue, [Check SELINUX if you are on centos], laravel (that means apache or nginx or whatever user your process runs with) should have read and write permission on the folder where session files are stored [That is usually project root/storage folder].

Another reason this can happen is when you are using database as a session storage and created sessions table manually and made the mistake of making id column of type bigint(20) or any other mismatching column.

That again means laravel couldn't store the session data. Check my detailed answer about that here https://stackoverflow.com/a/45340647/7260022

And the last point is about cookie and domain setting as mentioned above. Hope that helps to pinpoint the problem for anyone struggling with the issue in future.