I’m working on a Laravel 11 project where I’m using Laravel Sanctum for authentication in my SPA (Vuejs3). My setup includes a backend and a frontend hosted on different subdomains, and I’m running everything using Docker. The backend is accessible at http://shop_backend.localhost:8084 and the frontend at http://shop_frontend.localhost:8787.

When I try to make a request to the backend to get the CSRF cookie using Axios, I’m encountering this error:

Token miss match, status 419
laravel sanctum csrf this attempt to set a cookie via a set-cookie header was blocked because its domain attribute was invalid with regards to the current host url

What am I missing or doing wrong? Any help or pointers would be appreciated 🙂

This is the SESSION_DOMAIN=.localhost

my configs:

.env

APP_NAME=SHOP
APP_ENV=local
APP_KEY=base64:qJsej8OfNb9Kr3SNElIYZjklt7kzbiutjb78ithm1A4def90dpKB1l58=
APP_DEBUG=true
APP_TIMEZONE=UTC
APP_URL=http://shop_backend.localhost:8084
FRONTEND_URL=http://shop_frontend.localhost:8787

APP_LOCALE=en
APP_FALLBACK_LOCALE=en
APP_FAKER_LOCALE=en_US

APP_MAINTENANCE_DRIVER=file
APP_MAINTENANCE_STORE=database

BCRYPT_ROUNDS=12

LOG_CHANNEL=stack
LOG_STACK=single
LOG_DEPRECATIONS_CHANNEL=null
LOG_LEVEL=debug

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=shop
DB_USERNAME=test
DB_PASSWORD=test

SESSION_DRIVER=cookie
SESSION_LIFETIME=120
SESSION_ENCRYPT=false
SESSION_PATH=/
SESSION_DOMAIN=.localhost

BROADCAST_CONNECTION=log
FILESYSTEM_DISK=local
QUEUE_CONNECTION=database

CACHE_STORE=redis
CACHE_PREFIX=

MEMCACHED_HOST=127.0.0.1

REDIS_HOST=redis
REDIS_PASSWORD=null
REDIS_PORT=6379

VITE_APP_NAME="${APP_NAME}"

SANCTUM_STATEFUL_DOMAINS=shop_frontend.localhost:8787

app.php

<?php

use IlluminateFoundationApplication;
use IlluminateFoundationConfigurationExceptions;
use IlluminateFoundationConfigurationMiddleware;

return Application::configure(basePath: dirname(__DIR__))
    ->withRouting(
        web: __DIR__.'/../routes/web.php',
        api: __DIR__.'/../routes/api.php',
        commands: __DIR__.'/../routes/console.php',
        health: '/up',
    )
    ->withMiddleware(function (Middleware $middleware) {
        $middleware->statefulApi();
    })
    ->withExceptions(function (Exceptions $exceptions) {
        //
    })->create();

cors.php

<?php

return [
    'paths' => ['api/*'],

    'allowed_methods' => ['*'],

    'allowed_origins' => [env('FRONTEND_URL')],

    'allowed_origins_patterns' => [],

    'allowed_headers' => ['*'],

    'exposed_headers' => [],

    'max_age' => 0,

    'supports_credentials' => true,
];

sanctum.php

<?php

use LaravelSanctumSanctum;

return [

    'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS')),

    'guard' => ['web'],

    'expiration' => 120,

    'token_prefix' => env('SANCTUM_TOKEN_PREFIX', ''),

    'middleware' => [
        'authenticate_session' => LaravelSanctumHttpMiddlewareAuthenticateSession::class,
        'encrypt_cookies' => IlluminateCookieMiddlewareEncryptCookies::class,
        'validate_csrf_token' => IlluminateFoundationHttpMiddlewareValidateCsrfToken::class,
    ],

    'prefix' => 'api',
];

I set up a new Laravel project but encountered the same error. I tried changing the SESSION_DOMAIN to localhost and .localhost but it didn’t resolve the issue.