I am running a Laravel project with Vue/Vite as front-end. Lately I have encountered an issue regarding cookie management, which I have attributed to some kind of misconfiguration after upgrading to Laravel 11 (from 10.3).

The problem

When reloading the page, 3 cookies are set: the laravel_session, the XSRF-TOKEN, and a third one with a random string as name. The first two work as intended, the third does not. If I reload the page, the first two cookies are overwritten, however the third is replaced with a fourth cookie with similar naming. Every reload this happens again (including during HMR from Vite), until eventually the cookie storage is full and reloading throws errors. On previous versions of my site this third cookie also exists, but it is always overwritten during reloads, so the cookie storage stays normal.

This problem exists on Laravel 10.10 and up, and does not exist on Laravel 10.9 or down. Previously I worked with 10.3 for a while, as does my live server currently, without this problem.

Setup

Laravel 11 (though this problem also seems to exist on Laravel 10.10 and up)

Guzzlehttp 7.8.1 (Same with v7.4.5 when running Laravel 10.10)

Laravel Sanctum 4.0 (Same with v3.2 when running Laravel 10.10)

Vite 5.3.1 & Vue 3.4.29

Running on Localhost

Relevant config:

.env

SESSION_SECURE_COOKIE=false
SESSION_DOMAIN=localhost
SANCTUM_STATEFUL_DOMAINS=localhost:8000,localhost:3000

HttpKernel.php

    protected $middlewareGroups = [
    'web' => [
        AppHttpMiddlewareEncryptCookies::class,
        IlluminateCookieMiddlewareAddQueuedCookiesToResponse::class,
        IlluminateSessionMiddlewareStartSession::class,
        IlluminateViewMiddlewareShareErrorsFromSession::class,
        AppHttpMiddlewareVerifyCsrfToken::class,
        IlluminateRoutingMiddlewareSubstituteBindings::class,
    ],

    'api' => [
        LaravelSanctumHttpMiddlewareEnsureFrontendRequestsAreStateful::class,
        'throttle:api',
        IlluminateRoutingMiddlewareSubstituteBindings::class,
    ],
];

HttpMiddlewareVerifyCsrfToken.php

protected $except = [
    '/api/logout',
    'api/broadcasting/auth'
];

The rest of the configuration is default or does not seem relevant from my searches. Keep in mind that this is the configuration for Laravel 10.10 and some changes might have to be made for the Laravel 11 upgrade.

What I’ve tried

I’ve searched around a lot to try and find the answers to this, read up on the documentation for Laravel, Laravel cookie management, Sanctum etc. I haven’t found anyone with this exact issues, but related issues mentioned the .env settings for session domains and sanctum stateful domains. From what I can tell the settings should be correct as I have them now. I’ve scoured the upgrade guides for Laravel, the changelogs for previous versions, the changes made between 10.9 and 10.10 and looked for any relevant information in these changes.

I have tried changing the ‘SANCTUM_STATEFUL_DOMAINS’ to ‘localhost’, which resolves the cookie problem, but prevents me from logging in, it just logs me straight back out. I also don’t think that’s the answer, just thought it relevant to mention. Most changes to ‘SESSION_DOMAIN’ prevents the site from setting any cookie correctly at all.

Edit: I have updated the live version of this site and it has the same problem (running Laravel 11, Vite 5, etc). In normal use it wouldn’t be an issue on production unless someone refreshes the page 20 times within 2 hours. This should rule out any settings related to localhost.

Any help would be appreciated, I’m still pretty new to development so there may be obvious things I’ve missed, and I’m happy to share more relevant info. Thanks in advance!