I manage a web app. Laravel Backend, React Frontend. Same Domains but different subdomains.
Our app initializes the Laravel CSRF token by hitting sanctum/csrf-cookie
, then proceeds to log users in.
Recently about half of our users have been unable to login. I’ve isolated the issue to this endpoint. It times out, failing to set the XSRF-TOKEN cookie, so the subsequent login fails. I’ve even asked a test user to visit api.ourdomain.com/sanctum/csrf-cookie
and it times out in their browser as well, so it’s not like an axios or front-end issue as far as I can tell.
My team and I, and many other users, don’t have this issue. We can visit the above URL and set our cookie. I’m at a loss for how this could happened. I even check one of the failed login users Name Servers for our domain in case it was some DNS weirdness but everything matched mine.