I am using Laravel Sanctum with Vuejs SPA. Both reside on same top level domain
Laravel backend : app.demo.localhost
Vue SPA : app-spa.demo.localhost
Login and logout (endpoints) are working correctly when called from VueJS SPA using axios and XSRF-TOKEN is succesfully set, but when I call other api end points it gives me 401 unauthorized.
In axios this is being set
axios.defaults.withCredentials = true;
I have the below configurations
In Laravel .env
SESSION_DRIVER=cookie
SESSION_DOMAIN=.demo.localhost
SANCTUM_STATEFUL_DOMAINS=app-spa.demo.localhost
In Routes/Api.php
Route::middleware('auth:sanctum')->get('api/user', function (Request $request) {
return $request->user();
});
In cors.php
'paths' => ['api/*', 'sanctum/csrf-cookie', 'login', 'logout'],
'allowed_methods' => ['*'],
'allowed_origins' => ['*'],
'allowed_origins_patterns' => [],
'allowed_headers' => ['*'],
'exposed_headers' => [],
'max_age' => 0,
'supports_credentials' => true,
Could someone help me out please?
If you are using php artisan serve add the port number to SANCTUM_STATEFUL_DOMAINS. So if your port number is 8000:
SESSION_DRIVER=cookie
SESSION_DOMAIN=.demo.localhost
SANCTUM_STATEFUL_DOMAINS=app-spa.demo.localhost:8000
Your SANCTUM_STATEFUL_DOMAINS must match the url in your browser. The port number should not be on the SESSION_DOMAIN.
Following are the 8 steps that I follow while setting up Laravel sanctum check if you missed anything
Step1 composer require laravel/sanctum
Step2 php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider
Step3 php artisan migrate (you can ignore this if you're using spa)
Step4 uncomment this line from app/http/kernel.php \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
Step5 In config/cors.php update 'supports_credentials' => true,
Step6 In .env file update SESSION_DRIVER=cookie & add new line of SESSION_DOMAIN=localhost (even if your using any port like 8080 just mention localhost in session_domain)
Step7 In config/sanctum.php add your client domain along with port(if local) in stateful as follows, in my case for vue CLI it's usually localhost:8080 & for nuxt its localhost:3000 , code is as follows
'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
'%s%s',
'localhost,localhost:8000,localhost:8080,localhost:3000,127.0.0.1,127.0.0.1:8000,::1',
env('APP_URL') ? ','.parse_url(env('APP_URL'), PHP_URL_HOST) : ''
))),
Mostly if your stateful (step7) is not setup properly you will get 401 unauthorized or it will try to redirect you to the home page along with cors policy error
Step8 Do not forget to await until sanctum/csrf-cookie promise is resolved
async login() {
await axios.get("http://localhost:8000/sanctum/csrf-cookie");
await axios.post("http://localhost:8000/login", {
email: "kunal#gmail.com",
password: "password",
});
let response = await axios.get("http://localhost:8000/api/user");
console.log(response.data);
},
For anyone dealing with localhost:
SESSION_DRIVER=cookie
SESSION_DOMAIN=localhost
SANCTUM_STATEFUL_DOMAINS=localhost:8080(port number you use)
I just encountered the same problem. I configured all the options according to the official documentation, but I couldn't get the authorization.
Then I use routes/web.php instead of routes/api.php, so I can use sanctum middleware very well.
Now the problem seems obvious,Axios withCredentials maybe need to place in the correct way.
const http = axios.create({
baseURL: API_URL,
withCredentials: true
})
maybe not work. So I add {withCredentials: true} like
http.get('/api/whoami', {withCredentials: true})
.then(res => {
console.log(res.data)
})
Then it works.
But the very strange thing is that it is normal now, no matter whether I clear the browser cache, cookies or Laravel's various caches, there is no previous situation
For me i just had to place the host with port number:
SANCTUM_STATEFUL_DOMAINS=127.0.0.1:5173
and it started working.
Maybe this helps someone.
My problema was.... (no read with attention)
If your SPA needs to authenticate with private / presence broadcast channels, you should place the Broadcast::routes method call within your routes/api.php file:
Hi i found a solution.
My SPA is Vue v3 working on 3000 port.
Also my backend is working on 80 port. (laravel 8.1)
Make Stateful Domains in config/sanctum.php like that
'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
'%s%s',
'localhost:3000',
env('APP_URL') ? ','.parse_url(env('APP_URL'), PHP_URL_HOST) : ''
))),
Adding only one and correct domain on their, worked for me magically. I wrote before there whole possible variant of ports, it made me crazy and cost a couple days and nights.
My issue was I setup the domain in the wrong place.
I thought was an array of domains, in config/sanctum.php, but not, needs to be placed within the string:
OK:
'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
'%s%s',
'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1,myownlocaldomain.test,myownlocaldomain.test:8080', <-------- OK
env('APP_URL') ? ','.parse_url(env('APP_URL'), PHP_URL_HOST) : ''
))),
BAD:
'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
'%s%s',
'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1',
env('APP_URL') ? ','.parse_url(env('APP_URL'), PHP_URL_HOST) : '',
'myownlocaldomain.test', <----- BAD
'myownlocaldomain.test:8080', <---- BAD
))),
I hope I save days of work to someone else...
my site have config load balancer from https to http
and in my cource code /app/Config/core.php
Configure::write('Session', array(
'defaults' => 'cake',
'timeout' => 4320,
'checkAgent' => false,
'cookieTimeout'=>0,
'ini' => array(
'session.cookie_secure' => false,
'session.referer_check' =>false
)
));
it's mean that session is store in /app/tmp/. and timeout 3days.
but when i open the browser(Chrome/IE) it create a session in folder app/tmp/
and I close the browser and open it again, it create a new file. So the old Session lose??
I've change to config defaults =>'php' but it's the same.
Can Anyone help me!
Thanks in advance!
You have Session.cookieTimeout set to 0. Remove Session.cookieTimeout and it will default to Session.timeout value - 4320
i am trying to allow accessing the $_GET for both clean url and normal get request in YII (Yii 1.1.14), so for example if i have a controller Cities and action getCities that var_dump($_GET) only
1- http://example.com/cities/getCities/country_id/100
==> the output is array(1) { ["country_id"]=> string(3) "100" }
2- http://example.com/cities/getCities?country_id=100
==> the output is array(0) { }
my urlManager is
'urlManager' => array(
'class' => 'ext.localeurls.LocaleUrlManager',
'languageParam' => 'lang', // Name of the parameter that contains the desired language when constructing a URL
'urlFormat' => 'path',
'showScriptName' => false,
'caseSensitive' => false,
'rules'=>array(
'login'=>'/home/login'
)
),
how could i allow Yii to recognize $_GET in both cases above?
EDIT
i am using nginx 1.6. GET params (?x=y) is working fine on other Yii projects, only this project doesn't. I changed the web-server to apache, and i got it working on this project!!! although this project has the same nginx configurations like others!!
I have a Cakephp application and Yii application running on the same server. And their session config are
Cakephp:
Configure::write('Session', array(
'defaults' => 'php',
'ini' => array(
'session.cookie_path' => '/cakephp_app',
),
'cookie' => 'PHPSESSID'
));
Yii:
'session' => array(
'autoStart' => true,
'timeout' => 5400,
'sessionName' => 'YIIAPP',
)
I supposed their session will be separated, but the result is negative.
Since the cakephp app is already in production, so what can I do to separate the Yii session from the cakephp session?
And can anyone tell me how come my Yii is still using the PHPSESSID session, rather than then 'YIIAPP' session?
I've tested this and adding:
'sessionName' => 'YiiAPP'
worked first time for me.
However, I then added
session_start()
To my index.php file - and this then shows the PHPSESSID. So I suspect somewhere in your code you are using session_start() - which Yii doesn't need. It starts its own session automatically.
I downloaded yiiSkeletonApp from https://github.com/travisstroud/yiiSkeletonApp
managed to get localhost/dev working but when i click on login / register i get an Error 404.
the login url and register url's are http://localhost/dev/login and http://localhost/dev/user/create
in my protectd/config/main.php i have this..
'urlManager' => array(
'urlFormat' => 'path',
'showScriptName' => false,
'rules' => array(
'<controller:\w+>/<id:\d+>' => '<controller>/view',
'<controller:\w+>/<action:\w+>/<id:\d+>' => '<controller>/<action>',
'<controller:\w+>/<action:\w+>' => '<controller>/<action>',
),
),
also the files protected/views/site/login.php and protected/views/user/create.php do exist
here is the error message
Object not found!
The requested URL was not found on this server. The link on the referring page seems to be wrong or outdated. Please inform the author of that page about the error.
If you think this is a server error, please contact the webmaster.
Error 404
localhost
folder content:
localhost/dev/
- assets/
- css/
- images/
- protected/
- themes/
- yii/
- facebook-channel.php
- index.php
- index-test.php
- README.md
You site is configured to use hard coded path's it seems. so its referring to the wrong paths.
try accessing this url from localhost,
localhost/dev/index.php/site/login
localhost/dev/index.php/site/user/create
There is no issue with urlManager. You can refer to this link to understand URL Manager of yii.
http://www.yiiframework.com/doc/guide/1.1/en/topics.url