Laravel sanctum csrf cookie set issue "attempt to set a cookie via a Set-Cookie header was blocked because its Domain attribute..."

Question

I have an issue with the Laravel Sanctum CSRF Cookie's. I run an API with Laravel 8 on a subdomain: api.domain.nl And a front end with NuxtJS on domain.nl Now I want to protect my POST requests that are going to the api.domain.nl with a CSRF cookie that's set on the front end. To achieve this I read about Laravel Sanctum. Now I am sending a POST request to api.domain.nl/api/sanctum/csrf-cookie, this returns a 204 status and tries to do a SET-COOKIE header. On localhost, this works fine. But whenever I try to do it on my server I get this error:

This attempt to set a cookie via a Set-Cookie header was blocked because its Domain attribute was invalid with regards to the current host URL

Now I did read about some other people that ran into this issue. And it has something to do with your Laravel .env I tried everything with the SESSION_DOMAIN and SANCTUM_STATEFUL_DOMAINS but honestly, I'm clueless cause it kept giving me the same error. For now, I have this:

SESSION_DOMAIN=.domain.nl
SANCTUM_STATEFUL_DOMAIN=api.domain.nl

(Of course domain replaced with the domain I use)

Hope someone has the solution to this issue!

Answer 1

Is it really working on the local environment with the following .env setup?

SANCTUM_STATEFUL_DOMAIN=api.domain.nl

I guess this SANCTUM_STATEFUL_DOMAIN should be your front-end URL.

SANCTUM_STATEFUL_DOMAIN=http://domain.nl

I hope this will work.

Answer 2

Have you tried running php artisan optimize:clear just make sure Laravel is not referencing the an old configuration?